diff --git a/rules-deprecated/macos/proc_creation_macos_add_to_admin_group.yml b/deprecated/macos/proc_creation_macos_add_to_admin_group.yml similarity index 100% rename from rules-deprecated/macos/proc_creation_macos_add_to_admin_group.yml rename to deprecated/macos/proc_creation_macos_add_to_admin_group.yml diff --git a/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml b/deprecated/windows/file_event_win_lsass_memory_dump_file_creation.yml old mode 100755 new mode 100644 similarity index 95% rename from rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml rename to deprecated/windows/file_event_win_lsass_memory_dump_file_creation.yml index acd3f9236ab..61bbb434823 --- a/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml +++ b/deprecated/windows/file_event_win_lsass_memory_dump_file_creation.yml @@ -1,12 +1,12 @@ title: LSASS Memory Dump File Creation id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a -status: test +status: deprecated description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 -modified: 2022/10/09 +modified: 2023/08/29 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml b/deprecated/windows/proc_creation_win_susp_lolbin_non_c_drive.yml similarity index 96% rename from rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml rename to deprecated/windows/proc_creation_win_susp_lolbin_non_c_drive.yml index 479816a168b..44a04770647 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml +++ b/deprecated/windows/proc_creation_win_susp_lolbin_non_c_drive.yml @@ -1,12 +1,13 @@ title: Wscript Execution from Non C Drive id: 5b80cf53-3a46-4adc-960b-05ec19348d74 -status: experimental +status: deprecated description: Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file. references: - https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt - https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/ author: Aaron Herman date: 2022/10/01 +modified: 2023/08/29 tags: - attack.execution - attack.t1059 diff --git a/rules-emerging-threats/image_load_malware_foggyweb_nobelium.yml b/rules-emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml similarity index 100% rename from rules-emerging-threats/image_load_malware_foggyweb_nobelium.yml rename to rules-emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml diff --git a/rules-emerging-threats/image_load_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml similarity index 100% rename from rules-emerging-threats/image_load_malware_pingback_backdoor.yml rename to rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_34362_report_creation.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml similarity index 100% rename from rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_34362_report_creation.yml rename to rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_34362_wermgr_creation.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml similarity index 100% rename from rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_34362_wermgr_creation.yml rename to rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_34362_fake_wermgr.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml similarity index 100% rename from rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_34362_fake_wermgr.yml rename to rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml new file mode 100644 index 00000000000..ec61e1c75d9 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml @@ -0,0 +1,28 @@ +title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File +id: e4556676-fc5c-4e95-8c39-5ef27791541f +related: + - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 + type: similar +status: experimental +description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331 +references: + - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ + - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/30 +tags: + - attack.execution + - cve.2023.38331 + - detection.emerging_threats +logsource: + category: file_event + product: windows +detection: + selection: + Image|endswith: '\WinRAR.exe' + TargetFilename|contains: '\AppData\Local\Temp\Rar$' + TargetFilename|re: '\.[a-zA-Z0-9]{1,4} \.' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml new file mode 100644 index 00000000000..9e66a653e58 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml @@ -0,0 +1,42 @@ +title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process +id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 +related: + - id: e4556676-fc5c-4e95-8c39-5ef27791541f + type: similar +status: experimental +description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries. +references: + - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ + - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md +author: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io) +date: 2023/08/30 +tags: + - detection.emerging_threats + - attack.execution + - attack.t1203 + - cve.2023.38331 +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: '\WinRAR.exe' + selection_folder: + CommandLine|contains: '\AppData\Local\Temp\Rar$' + selection_double_ext: + CommandLine|re: '\.[a-zA-Z0-9]{1,4} \.' + selection_binaries: + # Note: add additional binaries that the attacker might use + - Image|endswith: + - '\cmd.exe' + - '\wscript.exe' + - OriginalFileName: + - 'Cmd.Exe' + - 'cscript.exe' + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'wscript.exe' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml new file mode 100644 index 00000000000..7cf5ccc31fb --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml @@ -0,0 +1,27 @@ +title: CVE-2023-40477 Potential Exploitation - .REV File Creation +id: c3bd6c55-d495-4c34-918e-e03e8828c074 +status: experimental +description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash. +references: + - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/ + - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC + - https://www.rarlab.com/vuln_rev3_names.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/31 +tags: + - attack.execution + - cve.2023.40477 + - detection.emerging_threats +logsource: + category: file_event + product: windows +detection: + selection: + Image|endswith: + - '\explorer.exe' # When extracted via context menu + - '\WinRAR.exe' + TargetFilename|endswith: '.rev' + condition: selection +falsepositives: + - Legitimate extraction of multipart or recovery volumes ZIP files +level: low diff --git a/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml new file mode 100644 index 00000000000..a006293c034 --- /dev/null +++ b/rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml @@ -0,0 +1,34 @@ +title: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash +id: e5a29b54-6fe7-4258-8a23-82960e31231a +status: experimental +description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477 +references: + - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/ + - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC + - https://www.rarlab.com/vuln_rev3_names.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/31 +tags: + - attack.execution + - cve.2023.40477 + - detection.emerging_threats +logsource: + product: windows + service: application +detection: + selection: + Provider_Name: 'Application Error' + EventID: 1000 + AppName: 'WinRAR.exe' + filter_main_fixed_version: + # TODO: fix this when the "lt" modifier is implemented for software versions + AppVersion|startswith: + - '6.23.' + - '6.24.' + - '6.25.' + - '6.26.' + - '7.' + condition: selection and not 1 of filter_main_* +falsepositives: + - Legitimate crash for reasons other than exploitation of the vulnerability +level: medium diff --git a/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml b/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml new file mode 100644 index 00000000000..afe5f7d8036 --- /dev/null +++ b/rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml @@ -0,0 +1,26 @@ +title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 +id: 2bd8e100-5b3b-4b6a-bbb5-b129d3ddddc5 +status: experimental +description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID +references: + - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ + - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/31 +tags: + - attack.defense_evasion + - attack.t1218.011 + - detection.emerging_threats +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\rundll32.exe' + CommandLine|endswith: + - '\1.dll, DllRegisterServer' # In case of full path exec + - ' 1.dll, DllRegisterServer' # In case of direct exec + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml similarity index 63% rename from rules/windows/process_creation/proc_creation_win_susp_compression_params.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml index b9579e09875..023e88f0de7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml @@ -1,12 +1,12 @@ -title: Suspicious Compression Tool Parameters +title: Potentially Suspicious Compression Tool Parameters id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd status: test -description: Detects suspicious command line arguments of common data compression tools +description: Detects potentially suspicious command line arguments of common data compression tools references: - https://twitter.com/SBousseaden/status/1184067445612535811 author: Florian Roth (Nextron Systems), Samir Bousseaden date: 2019/10/15 -modified: 2021/11/27 +modified: 2023/08/29 tags: - attack.collection - attack.t1560.001 @@ -26,9 +26,11 @@ detection: - ' -sdel' - ' -dw' - ' -hp' - falsepositive: - ParentImage|startswith: 'C:\Program' - condition: selection and not falsepositive + filter_main_generic: + ParentImage|contains: + - ':\Program Files\' + - ':\Program Files (x86)\' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/file/file_event/file_event_win_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml similarity index 81% rename from rules/windows/file/file_event/file_event_win_lsass_dump.yml rename to rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml index a16e60360b5..8ee112fa902 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_dump.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml @@ -3,8 +3,10 @@ id: a5a2d357-1ab8-4675-a967-ef9990a59391 related: - id: db2110f3-479d-42a6-94fb-d35bc1e46492 type: obsoletes + - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a + type: obsoletes status: experimental -description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials +description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. references: - https://www.google.com/search?q=procdump+lsass - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf @@ -22,7 +24,7 @@ logsource: product: windows category: file_event detection: - selection1: + selection_1: TargetFilename|endswith: - '\lsass.dmp' - '\lsass.zip' @@ -30,22 +32,22 @@ detection: - '\Andrew.dmp' - '\Coredump.dmp' - '\NotLSASS.zip' # https://github.com/CCob/MirrorDump - selection2: + selection_2: TargetFilename|contains: - '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp - '\lsassdump' - '\lsassdmp' - selection3: + selection_3: TargetFilename|contains|all: - '\lsass' - '.dmp' - selection4: + selection_4: TargetFilename|contains: 'SQLDmpr' TargetFilename|endswith: '.mdmp' - selection5: + selection_5: TargetFilename|startswith: 'nanodump' TargetFilename|endswith: '.dmp' - condition: 1 of selection* + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml new file mode 100644 index 00000000000..31459627106 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml @@ -0,0 +1,31 @@ +title: VMMap Signed Dbghelp.DLL Potential Sideloading +id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d +related: + - id: 273a8dd8-3742-4302-bcc7-7df5a80fe425 + type: similar +status: experimental +description: Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap. +references: + - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/09/05 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|contains: 'C:\Debuggers\dbghelp.dll' + Image|endswith: + - '\vmmap.exe' + - '\vmmap64.exe' + Signed: 'true' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp.yml b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml similarity index 75% rename from rules/windows/image_load/image_load_side_load_vmmap_dbghelp.yml rename to rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml index 454a3a555ef..16a2c60843e 100644 --- a/rules/windows/image_load/image_load_side_load_vmmap_dbghelp.yml +++ b/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml @@ -1,11 +1,15 @@ -title: VMMap Dbghelp.DLL Potential Sideloading +title: VMMap Unsigned Dbghelp.DLL Potential Sideloading id: 273a8dd8-3742-4302-bcc7-7df5a80fe425 +related: + - id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d + type: similar status: experimental -description: Detects potential DLL sideloading of dbghelp.dll by the Sysinternals VMMap. +description: Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap. references: - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/07/28 +modified: 2023/09/05 tags: - attack.defense_evasion - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml index 17457a40581..b0e513b695e 100644 --- a/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml +++ b/rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml @@ -4,12 +4,12 @@ related: - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc type: derived status: experimental -description: Detects a suspicious 7zip execution that involves a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration +description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/27 -modified: 2023/03/10 +modified: 2023/08/31 tags: - attack.collection - attack.t1560.001 @@ -32,5 +32,6 @@ detection: - '.dump' condition: all of selection_* falsepositives: - - Unknown -level: high + - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally + - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml b/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml similarity index 85% rename from rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml rename to rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml index 392250f9d69..d9029e28239 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml @@ -1,14 +1,14 @@ -title: Manage Engine Java Suspicious Sub Process +title: Suspicious Child Process Of Manage Engine ServiceDesk id: cea2b7ea-792b-405f-95a1-b903ea06458f status: experimental -description: Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process +description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service references: - https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/ - https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py - https://blog.viettelcybersecurity.com/saml-show-stopper/ author: Florian Roth (Nextron Systems) date: 2023/01/18 -modified: 2023/01/21 +modified: 2023/08/29 tags: - attack.command_and_control - attack.t1102 @@ -21,41 +21,40 @@ detection: - '\ManageEngine\ServiceDesk\' - '\java.exe' Image|endswith: - - '\powershell.exe' - - '\sh.exe' + - '\AppVLP.exe' - '\bash.exe' - - '\pwsh.exe' - - '\schtasks.exe' - - '\certutil.exe' - - '\whoami.exe' # Often used in POCs - '\bitsadmin.exe' - - '\wscript.exe' + - '\calc.exe' + - '\certutil.exe' - '\cscript.exe' - - '\scrcons.exe' - # - '\regsvr32.exe' - # - '\hh.exe' - - '\wmic.exe' - - '\mshta.exe' - # - '\rundll32.exe' + - '\curl.exe' - '\forfiles.exe' - # - '\scriptrunner.exe' - '\mftrace.exe' - - '\AppVLP.exe' - - '\curl.exe' - - '\notepad.exe' # Often used in POCs - - '\systeminfo.exe' + - '\mshta.exe' - '\net.exe' - '\net1.exe' - - '\reg.exe' + - '\notepad.exe' # Often used in POCs + - '\powershell.exe' + - '\pwsh.exe' - '\query.exe' - filter_net: + - '\reg.exe' + - '\schtasks.exe' + - '\scrcons.exe' + - '\sh.exe' + - '\systeminfo.exe' + - '\whoami.exe' # Often used in POCs + - '\wmic.exe' + - '\wscript.exe' + # - '\hh.exe' + # - '\regsvr32.exe' + # - '\rundll32.exe' + # - '\scriptrunner.exe' + filter_main_net: Image|endswith: - '\net.exe' - '\net1.exe' CommandLine|contains: ' stop' - condition: selection and not 1 of filter_* -fields: - - CommandLine + condition: selection and not 1 of filter_main_* falsepositives: - Legitimate sub processes started by Manage Engine ServiceDesk Pro level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml b/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml rename to rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml index 935609c47ed..cd7757ee2f8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml +++ b/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml @@ -18,8 +18,8 @@ logsource: product: windows detection: selection: - Image|endswith: '\Windows\System32\lsass.exe' ParentImage|endswith: '\Windows\System32\lsass.exe' + Image|endswith: '\Windows\System32\lsass.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml b/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml new file mode 100644 index 00000000000..100bbf7440c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml @@ -0,0 +1,31 @@ +title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI +id: 10344bb3-7f65-46c2-b915-2d00d47be5b0 +related: + - id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 + type: similar +status: experimental +description: | + Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. +references: + - https://twitter.com/M_haggis/status/1699056847154725107 + - https://twitter.com/JAMESWT_MHT/status/1699042827261391247 + - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries + - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/09/05 +tags: + - attack.execution + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' + - 'http' + - ' 0' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml b/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml index c75edce3895..8e3d0857fe6 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml @@ -1,12 +1,13 @@ -title: Suspicious Rundll32 Without Any CommandLine Params +title: Rundll32 Execution Without CommandLine Parameters id: 1775e15e-b61b-4d14-a1a3-80981298085a status: experimental description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity references: - https://www.cobaltstrike.com/help-opsec + - https://twitter.com/ber_m1ng/status/1397948048135778309 author: Florian Roth (Nextron Systems) date: 2021/05/27 -modified: 2022/10/06 +modified: 2023/08/31 tags: - attack.defense_evasion - attack.t1202 @@ -15,17 +16,15 @@ logsource: product: windows detection: selection: - CommandLine|endswith: '\rundll32.exe' - filter1: - ParentImage|endswith: '\svchost.exe' + CommandLine|endswith: + - '\rundll32.exe' + - '\rundll32.exe"' + - '\rundll32' filter2: ParentImage|contains: - '\AppData\Local\' - '\Microsoft\Edge\' condition: selection and not 1 of filter* -fields: - - ParentImage - - ParentCommandLine falsepositives: - Possible but rare level: high diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index c550c7148b0..05d1f3f4a6c 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -1,31 +1,28 @@ -title: Rundll32 With Suspicious Parent Process +title: Rundll32 Spawned Via Explorer.EXE id: 1723e720-616d-4ddc-ab02-f7e3685a4713 status: experimental -description: Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary. +description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary. references: - https://redcanary.com/blog/raspberry-robin/ - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: CD_ROM_ date: 2022/05/21 -modified: 2023/02/09 +modified: 2023/08/31 tags: - attack.defense_evasion logsource: category: process_creation product: windows detection: + selection_parent: + ParentImage|endswith: '\explorer.exe' selection_img: - Image|endswith: '\rundll32.exe' - OriginalFileName: 'RUNDLL32.EXE' - selection_parent: - ParentImage|endswith: '\explorer.exe' - filter: + filter_main_generic: - CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required - CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' # Windows 10 volume control - condition: all of selection_* and not filter -fields: - - Image - - ParentImage + condition: all of selection_* and not 1 of filter_main_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml index 51d9229d2d4..a05207ce74e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml @@ -1,12 +1,13 @@ -title: Suspicious Windows App Activity +title: Potentially Suspicious Windows App Activity id: f91ed517-a6ba-471d-9910-b3b4a398c0f3 status: experimental -description: Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution +description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/12 +modified: 2023/08/31 tags: - attack.defense_evasion logsource: @@ -19,20 +20,29 @@ detection: selection_susp_img: Image|endswith: # You can add more LOLBINs - - '\poweshell.exe' + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\powershell.exe' - '\pwsh.exe' - - '\rundll32.exe' - '\regsvr32.exe' - - '\mshta.exe' - - '\cscript.exe' + - '\rundll32.exe' - '\wscript.exe' selection_susp_cli: - # You can add more suspicious keywords + # You can add more potentially suspicious keywords CommandLine|contains: - 'cmd /c' - 'Invoke-' - 'Base64' - condition: selection_parent and 1 of selection_susp_* + filter_optional_terminal: + ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal' + ParentImage|endswith: '\WindowsTerminal.exe' + # Note: to avoid FP add the default shells and profiles that your WT integrates + Image|endswith: + - '\powershell.exe' + - '\cmd.exe' + - '\pwsh.exe' + condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_* falsepositives: - - Unknown -level: high + - Legitimate packages that make use of external binaries such as Windows Terminal +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml index 0b3d77e8717..acc6e6b8c6c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml @@ -12,7 +12,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/23 -modified: 2023/01/29 +modified: 2023/08/29 tags: - attack.credential_access - attack.t1555.003 @@ -38,10 +38,31 @@ detection: - 'robocopy.exe' selection_path: CommandLine|contains: - - '\Opera Software\Opera Stable\' - - '\Mozilla\Firefox\Profiles' - - '\Microsoft\Edge\User Data\' + - '\Amigo\User Data' + - '\BraveSoftware\Brave-Browser\User Data' + - '\CentBrowser\User Data' + - '\Chromium\User Data' + - '\CocCoc\Browser\User Data' + - '\Comodo\Dragon\User Data' + - '\Elements Browser\User Data' + - '\Epic Privacy Browser\User Data' + - '\Google\Chrome Beta\User Data' + - '\Google\Chrome SxS\User Data' - '\Google\Chrome\User Data\' + - '\Kometa\User Data' + - '\Maxthon5\Users' + - '\Microsoft\Edge\User Data' + - '\Mozilla\Firefox\Profiles' + - '\Nichrome\User Data' + - '\Opera Software\Opera GX Stable\' + - '\Opera Software\Opera Neon\User Data' + - '\Opera Software\Opera Stable\' + - '\Orbitum\User Data' + - '\QIP Surf\User Data' + - '\Sputnik\User Data' + - '\Torch\User Data' + - '\uCozMedia\Uran\User Data' + - '\Vivaldi\User Data' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml index 9c6481fb758..c4732b6ddcf 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml @@ -56,9 +56,6 @@ detection: - '$' - CommandLine|contains: '\Sysvol\' condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*) -fields: - - CommandLine - - ParentCommandLine falsepositives: - Administrative scripts level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml similarity index 84% rename from rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml rename to rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml index 34dcda4cd60..fb04981c242 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml @@ -1,18 +1,19 @@ -title: Suspicious Copy From or To System32 +title: Suspicious Copy From or To System Directory id: fff9d2b7-e11c-4a69-93d3-40ef66189767 related: - id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 type: derived status: test description: | - Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk. - Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations + Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. + Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations. references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html + - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) date: 2020/07/03 -modified: 2023/01/31 +modified: 2023/08/29 tags: - attack.defense_evasion - attack.t1036.003 @@ -43,10 +44,8 @@ detection: CommandLine|contains: - '\System32' - '\SysWOW64' - condition: 1 of selection* and target -fields: - - CommandLine - - ParentCommandLine + - '\WinSxS' + condition: 1 of selection_* and target falsepositives: - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/) - When cmd.exe and xcopy.exe are called directly # C:\Windows\System32\cmd.exe /c copy file1 file2 diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml new file mode 100644 index 00000000000..bad5fa4f57e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml @@ -0,0 +1,60 @@ +title: LOL-Binary Copied From System Directory +id: f5d19838-41b5-476c-98d8-ba8af4929ee2 +related: + - id: fff9d2b7-e11c-4a69-93d3-40ef66189767 + type: derived +status: experimental +description: | + Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. +references: + - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 + - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html + - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/29 +tags: + - attack.defense_evasion + - attack.t1036.003 +logsource: + category: process_creation + product: windows +detection: + selection_tools_cmd: + Image|endswith: '\cmd.exe' + CommandLine|contains: 'copy ' + selection_tools_pwsh: + Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + CommandLine|contains: + - 'copy-item' + - ' copy ' + - 'cpi ' + - ' cp ' + selection_tools_other: + - Image|endswith: + - '\robocopy.exe' + - '\xcopy.exe' + - OriginalFileName: + - 'robocopy.exe' + - 'XCOPY.EXE' + selection_target_path: + CommandLine|contains: + - '\System32' + - '\SysWOW64' + - '\WinSxS' + selection_target_lolbin: + CommandLine|contains: + # Note: add more binaries to increase coverage + - '\bitsadmin.exe' + - '\calc.exe' + - '\certutil.exe' + - '\cmdl32.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\rundll32.exe' + - '\wscript.exe' + condition: 1 of selection_tools_* and all of selection_target_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml index 5a4e980a161..6f7c6794ad2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml @@ -66,10 +66,10 @@ detection: - 'WriteInt32' - 'WriteProcessMemory' - 'ZeroFreeGlobalAllocUnicode' - filter_mpcmdrun: + filter_optional_mpcmdrun: Image|endswith: '\MpCmdRun.exe' CommandLine|contains: 'GetLoadLibraryWAddress32' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_optional_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml b/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml index 266ae31a1c2..e79c7c3baca 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml @@ -1,14 +1,17 @@ -title: LOLBIN From Abnormal Drive +title: LOLBIN Execution From Abnormal Drive id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87 +related: + - id: 5b80cf53-3a46-4adc-960b-05ec19348d74 + type: similar status: test -description: Detects LOLBINs executing from an abnormal drive such as a mounted ISO. +description: Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO. references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ - https://www.scythe.io/library/threat-emulation-qakbot - https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/ -author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti' +author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman date: 2022/01/25 -modified: 2023/04/12 +modified: 2023/08/29 tags: - attack.defense_evasion logsource: @@ -16,24 +19,27 @@ logsource: product: windows detection: selection: + # Note: add more lolbins for additional coverage - Image|endswith: - - '\rundll32.exe' - '\calc.exe' - - '\mshta.exe' + - '\certutil.exe' + - '\cmstp.exe' - '\cscript.exe' - - '\wscript.exe' - - '\regsvr32.exe' - '\installutil.exe' - - '\cmstp.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' - OriginalFileName: - - 'RUNDLL32.EXE' - 'CALC.EXE' - - 'MSHTA.EXE' + - 'CertUtil.exe' + - 'CMSTP.EXE' - 'cscript.exe' - - 'wscript.exe' - - 'REGSVR32.EXE' - 'installutil.exe' - - 'CMSTP.EXE' + - 'MSHTA.EXE' + - 'REGSVR32.EXE' + - 'RUNDLL32.EXE' + - 'wscript.exe' filter_main_currentdirectory: CurrentDirectory|contains: 'C:\' filter_main_empty: diff --git a/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml b/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml new file mode 100644 index 00000000000..000541351fc --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml @@ -0,0 +1,49 @@ +title: LSASS Dump Keyword In CommandLine +id: ffa6861c-4461-4f59-8a41-578c39f3f23e +related: + - id: a5a2d357-1ab8-4675-a967-ef9990a59391 + type: derived +status: test +description: | + Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process. +references: + - https://github.com/Hackndo/lsassy + - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf + - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml + - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/ + - https://github.com/helpsystems/nanodump + - https://github.com/CCob/MirrorDump +author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) +date: 2019/10/24 +modified: 2023/08/29 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - CommandLine|contains: + - 'lsass.dmp' + - 'lsass.zip' + - 'lsass.rar' + - 'Andrew.dmp' + - 'Coredump.dmp' + - 'NotLSASS.zip' # https://github.com/CCob/MirrorDump + - 'lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp + - 'lsassdump' + - 'lsassdmp' + - CommandLine|contains|all: + - 'lsass' + - '.dmp' + - CommandLine|contains|all: + - 'SQLDmpr' + - '.mdmp' + - CommandLine|contains|all: + - 'nanodump' + - '.dmp' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_lsass_dump.yml b/rules/windows/process_creation/proc_creation_win_susp_lsass_dump.yml deleted file mode 100644 index 7a96420bc73..00000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_lsass_dump.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: LSASS Memory Dumping -id: ffa6861c-4461-4f59-8a41-578c39f3f23e -status: test -description: | - Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. - Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. -references: - - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html - - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md -author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -date: 2019/10/24 -modified: 2023/03/06 -tags: - - attack.credential_access - - attack.t1003.001 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains|all: - - 'lsass' - - '.dmp' - filter: - Image|endswith: '\werfault.exe' - condition: selection and not filter -fields: - - ComputerName - - User - - CommandLine -falsepositives: - - Unlikely -level: high diff --git a/rules/windows/process_creation/proc_creation_win_winrar_dmp.yml b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml similarity index 67% rename from rules/windows/process_creation/proc_creation_win_winrar_dmp.yml rename to rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml index a12b1f27fe7..1c9c49c91db 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_dmp.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml @@ -4,12 +4,12 @@ related: - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7 type: similar status: experimental -description: Detects a suspicious winrar execution that involves a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration +description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ author: Florian Roth (Nextron Systems) date: 2022/01/04 -modified: 2023/03/10 +modified: 2023/09/07 tags: - attack.collection - attack.t1560.001 @@ -28,5 +28,6 @@ detection: - '.dump' condition: all of selection_* falsepositives: - - Legitimate use of WinRAR with a command line in which .dmp appears accidentally -level: high + - Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears accidentally + - Legitimate use of WinRAR to compress WER ".dmp" files for troubleshooting +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml new file mode 100644 index 00000000000..28aa3f046ec --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml @@ -0,0 +1,45 @@ +title: Potentially Suspicious Child Process Of WinRAR.EXE +id: 146aace8-9bd6-42ba-be7a-0070d8027b76 +related: + - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343 + type: similar +status: experimental +description: Detects potentially suspicious child processes of WinRAR.exe. +references: + - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ + - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/31 +tags: + - attack.execution + - attack.t1203 +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: '\WinRAR.exe' + selection_binaries: + # Note: add additional binaries that the attacker might use + - Image|endswith: + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' + - OriginalFileName: + - 'Cmd.Exe' + - 'cscript.exe' + - 'mshta.exe' + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'regsvr32.exe' + - 'RUNDLL32.EXE' + - 'wscript.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_winrar_execution.yml b/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml similarity index 56% rename from rules/windows/process_creation/proc_creation_win_winrar_execution.yml rename to rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml index 4b17df4e404..c8ec1cd9891 100644 --- a/rules/windows/process_creation/proc_creation_win_winrar_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/cyb3rops/status/1460978167628406785 author: Florian Roth (Nextron Systems), Tigzy date: 2021/11/17 -modified: 2022/12/25 +modified: 2023/08/31 tags: - attack.collection - attack.t1560.001 @@ -19,12 +19,17 @@ detection: - '\rar.exe' - '\winrar.exe' - Description: 'Command line RAR' - filter: + filter_main_unrar: + # Note: we filter unrar as it has the same description as the other utilities, and we're only interested in compression + Image|endswith: '\UnRAR.exe' + filter_main_path: Image|contains: - - '\WinRAR' - - 'C:\Windows\Temp' - - '\UnRAR.exe' - condition: selection and not filter + - ':\Program Files (x86)\WinRAR\' + - ':\Program Files\WinRAR\' + filter_optional_temp: + # Note: in some occasion installers were seen dropping "rar" in TEMP + Image|contains: ':\Windows\Temp\' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate use of WinRAR in a folder of a software that bundles WinRAR -level: high +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml b/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml new file mode 100644 index 00000000000..19d7840bd8a --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml @@ -0,0 +1,31 @@ +title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols +id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 +related: + - id: 10344bb3-7f65-46c2-b915-2d00d47be5b0 + type: similar +status: experimental +description: | + Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. +references: + - https://twitter.com/M_haggis/status/1699056847154725107 + - https://twitter.com/JAMESWT_MHT/status/1699042827261391247 + - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries + - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content +author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea) +date: 2023/09/05 +tags: + - attack.defense_evasion +logsource: + product: windows + category: registry_set +detection: + selection: + TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' + TargetObject|endswith: + - '\http' + - '\https' + Details|contains: 'DWORD (0x00000000)' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml b/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml new file mode 100644 index 00000000000..6a02c0cc6db --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml @@ -0,0 +1,24 @@ +title: Old TLS1.0/TLS1.1 Protocol Version Enabled +id: 439957a7-ad86-4a8f-9705-a28131c6821b +status: experimental +description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key. +references: + - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/09/05 +tags: + - attack.defense_evasion +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|contains: + - '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\' + - '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\' + TargetObject|endswith: '\Enabled' + Details: 'DWORD (0x00000001)' + condition: selection +falsepositives: + - Legitimate enabling of the old tls versions due to incompatibility +level: medium