diff --git a/rules/mft/adamntds_dit_mft.yml b/rules/mft/adamntds_dit_mft.yml index 6b21c631..4b661902 100644 --- a/rules/mft/adamntds_dit_mft.yml +++ b/rules/mft/adamntds_dit_mft.yml @@ -33,9 +33,11 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: - condition: (adamntds and adamntds_1) and not adamntds_2 + condition: (adamntds and adamntds_1) and not (adamntds_2 or adamntds_3) adamntds: FullPath: @@ -47,6 +49,10 @@ filter: adamntds_2: FullPath: - - 'iProgram Files\Microsoft ADAM\*' - - 'iWindows\WinSxS*' - - 'iWindows\servicing\LCU\*' \ No newline at end of file + - 'iProgram Files/Microsoft ADAM/*' + - 'iWindows/WinSxS*' + - 'iWindows/servicing/LCU/*' + + adamntds_3: + FileSize: + - 55 \ No newline at end of file diff --git a/rules/mft/advanced_ip_scanner_mft.yml b/rules/mft/advanced_ip_scanner_mft.yml index a9fd060d..8027433c 100644 --- a/rules/mft/advanced_ip_scanner_mft.yml +++ b/rules/mft/advanced_ip_scanner_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: ais and (ais_1 or ais_2 or ais_3 or ais_4) diff --git a/rules/mft/advanced_port_scanner_mft.yml b/rules/mft/advanced_port_scanner_mft.yml index 52a4ebb8..ee03f7a7 100644 --- a/rules/mft/advanced_port_scanner_mft.yml +++ b/rules/mft/advanced_port_scanner_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: aps and (aps_1 or aps_2 or aps_3 or aps_4) diff --git a/rules/mft/angry_ip_scanner_mft.yml b/rules/mft/angry_ip_scanner_mft.yml index dd8a20af..5efe7f9b 100644 --- a/rules/mft/angry_ip_scanner_mft.yml +++ b/rules/mft/angry_ip_scanner_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: ais and (ais_1 or ais_2 or ais_3 or ais_4) diff --git a/rules/mft/anydesk_mft.yml b/rules/mft/anydesk_mft.yml index ba82140c..aee2a05e 100644 --- a/rules/mft/anydesk_mft.yml +++ b/rules/mft/anydesk_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: anydesk and (anydesk_1 or anydesk_2 or anydesk_3 or anydesk_4 or anydesk_5 or anydesk_6) diff --git a/rules/mft/browserscan_mft.yml b/rules/mft/browserscan_mft.yml index 3dc51fa9..49e8b922 100644 --- a/rules/mft/browserscan_mft.yml +++ b/rules/mft/browserscan_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: (browserscan and browserscan_loot) or (browserscan_1 and browserscan_2) diff --git a/rules/mft/filezilla_mft.yml b/rules/mft/filezilla_mft.yml index abb1d52a..b10fe757 100644 --- a/rules/mft/filezilla_mft.yml +++ b/rules/mft/filezilla_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: filezilla and (filezilla_1 or filezilla_2 or filezilla_3 or filezilla_4) diff --git a/rules/mft/lsass_dmp_mft.yml b/rules/mft/lsass_dmp_mft.yml index ab194cdd..62c0e336 100644 --- a/rules/mft/lsass_dmp_mft.yml +++ b/rules/mft/lsass_dmp_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: lsass and (lsass_1 or lsass_2) diff --git a/rules/mft/megasync_mft.yml b/rules/mft/megasync_mft.yml index fed98423..30b30a3c 100644 --- a/rules/mft/megasync_mft.yml +++ b/rules/mft/megasync_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: ms and (ms_1 or ms_2 or ms_3) diff --git a/rules/mft/mimikatz_mft.yml b/rules/mft/mimikatz_mft.yml index c3fb5a0b..14530b40 100644 --- a/rules/mft/mimikatz_mft.yml +++ b/rules/mft/mimikatz_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: mimikatz diff --git a/rules/mft/netscan_mft.yml b/rules/mft/netscan_mft.yml index 3f181566..2ea61749 100644 --- a/rules/mft/netscan_mft.yml +++ b/rules/mft/netscan_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: netscan and (netscan_1 or netscan_2 or netscan_3) diff --git a/rules/mft/nirsoft_mft.yml b/rules/mft/nirsoft_mft.yml index 6e8d0c8a..f3281885 100644 --- a/rules/mft/nirsoft_mft.yml +++ b/rules/mft/nirsoft_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: nirsoft and (nirsoft_1 or nirsoft_2 or nirsoft_3) diff --git a/rules/mft/ntds_dit_mft.yml b/rules/mft/ntds_dit_mft.yml index e1b82c6a..d29875f3 100644 --- a/rules/mft/ntds_dit_mft.yml +++ b/rules/mft/ntds_dit_mft.yml @@ -33,9 +33,11 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: - condition: (ntds and ntds_1) and not ntds_2 + condition: (ntds and ntds_1) and not (ntds_2 or ntds_3) ntds: FullPath: @@ -47,7 +49,11 @@ filter: ntds_2: FullPath: - - 'iWindows\NTDS\NTDS.dit' - - 'iWindows\WinSxS*' - - 'iWindows\servicing\LCU\*' - - 'i*adamntds.dit*' \ No newline at end of file + - 'iWindows/NTDS/NTDS.dit' + - 'iWindows/WinSxS*' + - 'iWindows/servicing/LCU/*' + - 'i*adamntds.dit*' + + ntds_3: + FileSize: + - 55 \ No newline at end of file diff --git a/rules/mft/processhacker_mft.yml b/rules/mft/processhacker_mft.yml index 1c3304e6..e4e43278 100644 --- a/rules/mft/processhacker_mft.yml +++ b/rules/mft/processhacker_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: ph and (ph_1 or ph_2 or ph_3 or ph_4) diff --git a/rules/mft/psexec_mft.yml b/rules/mft/psexec_mft.yml index e0915daf..7f37cac5 100644 --- a/rules/mft/psexec_mft.yml +++ b/rules/mft/psexec_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: psexec or (key_1 and key_2) diff --git a/rules/mft/pstools_mft.yml b/rules/mft/pstools_mft.yml index 17131df4..62d99839 100644 --- a/rules/mft/pstools_mft.yml +++ b/rules/mft/pstools_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: pstools or (pstools_1 and pstools_2) diff --git a/rules/mft/rclone_mft.yml b/rules/mft/rclone_mft.yml index 277763ce..45a6111f 100644 --- a/rules/mft/rclone_mft.yml +++ b/rules/mft/rclone_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: rclone or (rclone_1 and rclone_2) diff --git a/rules/mft/rubeus_mft.yml b/rules/mft/rubeus_mft.yml index c182d4f1..4d7c3196 100644 --- a/rules/mft/rubeus_mft.yml +++ b/rules/mft/rubeus_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: rubeus diff --git a/rules/mft/shadow_dumper_mft.yml b/rules/mft/shadow_dumper_mft.yml index a8a3aa4e..8dafac56 100644 --- a/rules/mft/shadow_dumper_mft.yml +++ b/rules/mft/shadow_dumper_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: shadowdumper diff --git a/rules/mft/sup_script_exec_intel_mft.yml b/rules/mft/sup_script_exec_intel_mft.yml new file mode 100644 index 00000000..c3d78199 --- /dev/null +++ b/rules/mft/sup_script_exec_intel_mft.yml @@ -0,0 +1,118 @@ +--- +title: Suspicious Script or Executable Location - Intel +group: MFT +description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: low +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: sup and directory + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + - 'i*.lnk' + + directory: + FullPath: + - 'iIntel/*' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_perflogs_mft.yml b/rules/mft/sup_script_exec_perflogs_mft.yml new file mode 100644 index 00000000..c6dd0ca3 --- /dev/null +++ b/rules/mft/sup_script_exec_perflogs_mft.yml @@ -0,0 +1,118 @@ +--- +title: Suspicious Script or Executable Location - PerfLogs +group: MFT +description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: medium +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: sup and directory + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + - 'i*.lnk' + + directory: + FullPath: + - 'iPerfLogs/*' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_program_files_root_mft.yml b/rules/mft/sup_script_exec_program_files_root_mft.yml new file mode 100644 index 00000000..eebcbf02 --- /dev/null +++ b/rules/mft/sup_script_exec_program_files_root_mft.yml @@ -0,0 +1,123 @@ +--- +title: Suspicious Script or Executable Location - Program Files Root of Folder +group: MFT +description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: high +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: (sup and directory) and regex + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + - 'i*.lnk' + + directory: + FullPath: + - 'iProgram Files/*' + - 'iProgram Files (x86)/*' + + regex: + FullPath: + - 'i?^[^\x00/?%*:|"<>\.]+/[^\x00/?%*:|"<>\.]+(?:\.[^\x00/?%*:|"<>\.]+)?$' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_programdata_mft.yml b/rules/mft/sup_script_exec_programdata_mft.yml new file mode 100644 index 00000000..c23c19d4 --- /dev/null +++ b/rules/mft/sup_script_exec_programdata_mft.yml @@ -0,0 +1,121 @@ +--- +title: Suspicious Script or Executable Location - ProgramData +group: MFT +description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: info +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: (sup and directory) and not directoryexc + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + + directory: + FullPath: + - 'iProgramData/*' + + directoryexc: + FullPath: + - 'iProgramData/Microsoft/Windows Defender/*' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_public_mft.yml b/rules/mft/sup_script_exec_public_mft.yml new file mode 100644 index 00000000..757aa5dd --- /dev/null +++ b/rules/mft/sup_script_exec_public_mft.yml @@ -0,0 +1,117 @@ +--- +title: Suspicious Script or Executable Location - Public User +group: MFT +description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: high +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: sup and directory + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + + directory: + FullPath: + - 'iUsers/Public/*' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_recyclebin_mft.yml b/rules/mft/sup_script_exec_recyclebin_mft.yml new file mode 100644 index 00000000..bb82052d --- /dev/null +++ b/rules/mft/sup_script_exec_recyclebin_mft.yml @@ -0,0 +1,123 @@ +--- +title: Suspicious Script or Executable Location - Recycle Bin +group: MFT +description: Suspicious Script or Executable in Recycle Bin. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: medium +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: (sup and directory) and name + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + - 'i*.lnk' + + directory: + FullPath: + - 'i$Recycle.Bin/*' + + name: + FullPath: + - 'i*/$I*' + - 'i*/$R*' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_recyclebin_nonstand_mft.yml b/rules/mft/sup_script_exec_recyclebin_nonstand_mft.yml new file mode 100644 index 00000000..c06ce428 --- /dev/null +++ b/rules/mft/sup_script_exec_recyclebin_nonstand_mft.yml @@ -0,0 +1,123 @@ +--- +title: Suspicious Script or Executable Location - Recycle Bin Non-Standard Name +group: MFT +description: Suspicious Script or Executable in Recycle Bin. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: low +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: (sup and directory) and not name + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + - 'i*.lnk' + + directory: + FullPath: + - 'i$Recycle.Bin/*' + + name: + FullPath: + - 'i*/$I*' + - 'i*/$R*' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_root_mft.yml b/rules/mft/sup_script_exec_root_mft.yml new file mode 100644 index 00000000..b8cb5351 --- /dev/null +++ b/rules/mft/sup_script_exec_root_mft.yml @@ -0,0 +1,122 @@ +--- +title: Suspicious Script or Executable Location - Root of Drive +group: MFT +description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: medium +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: sup and not directory + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + - 'i*.lnk' + + directory: + FullPath: + - 'i*/*' + - 'i$Recycle.bin' + - 'ipagefile.sys' + - 'iswapfile.sys' + - 'ihiberfil.sys' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_root_nonstand_fold_mft.yml b/rules/mft/sup_script_exec_root_nonstand_fold_mft.yml new file mode 100644 index 00000000..d464722b --- /dev/null +++ b/rules/mft/sup_script_exec_root_nonstand_fold_mft.yml @@ -0,0 +1,135 @@ +--- +title: Suspicious Script or Executable Location - Non-Standard Folder Root of Drive +group: MFT +description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: low +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: (sup and directory) and not directoryexc + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + - 'i*.lnk' + + directory: + FullPath: + - 'i*/*' + + directoryexc: + FullPath: + - 'i$Recycle.Bin/*' + - 'iDocuments and Settings/*' + - 'iUsers/*' + - 'iPerfLogs/*' + - 'iProgram Files/*' + - 'iProgram Files (x86)/*' + - 'iProgramData/*' + - 'iRecovery/*' + - 'iSystem Volume Information/*' + - 'iWindows/*' + - 'i[Unknown]/*' + - 'iIntel/*' + - 'iTemp/*' + - 'iWindows.old/*' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_root_temp_mft.yml b/rules/mft/sup_script_exec_root_temp_mft.yml new file mode 100644 index 00000000..d6e55a80 --- /dev/null +++ b/rules/mft/sup_script_exec_root_temp_mft.yml @@ -0,0 +1,118 @@ +--- +title: Suspicious Script or Executable Location - Root Temp +group: MFT +description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: low +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: sup and directory + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + - 'i*.lnk' + + directory: + FullPath: + - 'iTemp/*' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_rtlo_mft.yml b/rules/mft/sup_script_exec_rtlo_mft.yml new file mode 100644 index 00000000..d9c8f6f9 --- /dev/null +++ b/rules/mft/sup_script_exec_rtlo_mft.yml @@ -0,0 +1,118 @@ +--- +title: Suspicious Script or Executable Using RTLO +group: MFT +description: Suspicious Script or Executable using Right To Left Override Character U+202E. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: high +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: sup and rtlo + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + - 'i*.lnk' + + rtlo: + FullPath: + - 'i*‮*' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_user_desktop_mft.yml b/rules/mft/sup_script_exec_user_desktop_mft.yml new file mode 100644 index 00000000..c0139837 --- /dev/null +++ b/rules/mft/sup_script_exec_user_desktop_mft.yml @@ -0,0 +1,128 @@ +--- +title: Suspicious Script or Executable Location - User Desktop +group: MFT +description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: info +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: (sup and directory and desktop) and not directoryexc + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + + directory: + FullPath: + - 'iUsers/*' + + desktop: + FullPath: + - 'i*/Desktop/*' + + directoryexc: + FullPath: + - 'iUsers/Public/*' + - 'iUsers/All Users/*' + - 'i*/AppData/*' + - 'i*/Downloads/*' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_user_downloads_mft.yml b/rules/mft/sup_script_exec_user_downloads_mft.yml new file mode 100644 index 00000000..1399aab2 --- /dev/null +++ b/rules/mft/sup_script_exec_user_downloads_mft.yml @@ -0,0 +1,129 @@ +--- +title: Suspicious Script or Executable Location - User Downloads +group: MFT +description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: info +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: (sup and directory and downloads) and not directoryexc + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + - 'i*.lnk' + + directory: + FullPath: + - 'iUsers/*' + + downloads: + FullPath: + - 'i*/Downloads/*' + + directoryexc: + FullPath: + - 'iUsers/Public/*' + - 'iUsers/All Users/*' + - 'i*/AppData/*' + - 'i*/Desktop/*' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_user_mft.yml b/rules/mft/sup_script_exec_user_mft.yml new file mode 100644 index 00000000..bcf9ca76 --- /dev/null +++ b/rules/mft/sup_script_exec_user_mft.yml @@ -0,0 +1,125 @@ +--- +title: Suspicious Script or Executable Location - Unusual User Path +group: MFT +description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: info +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: (sup and directory) and not directoryexc + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + + directory: + FullPath: + - 'iUsers/*' + + directoryexc: + FullPath: + - 'iUsers/Public/*' + - 'iUsers/All Users/*' + - 'i*/AppData/*' + - 'i*/Downloads/*' + - 'i*/Desktop/*' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_windows_root_mft.yml b/rules/mft/sup_script_exec_windows_root_mft.yml new file mode 100644 index 00000000..87715b51 --- /dev/null +++ b/rules/mft/sup_script_exec_windows_root_mft.yml @@ -0,0 +1,140 @@ +--- +title: Suspicious Script or Executable Location - Windows Root of Folder +group: MFT +description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: low +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: (sup and directory and regex) and not filesexc + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + - 'i*.lnk' + + directory: + FullPath: + - 'iWindows/*' + + regex: + FullPath: + - 'i?^[^\x00/?%*:|"<>\.]+/[^\x00/?%*:|"<>\.]+(?:\.[^\x00/?%*:|"<>\.]+)?$' + + filesexc: + FullPath: + - 'ibfsvc.exe' + - 'iexplorer.exe' + - 'iHelpPane.exe' + - 'ihh.exe' + - 'imib.bin' + - 'inotepad.exe' + - 'iregedit.exe' + - 'isplwow64.exe' + - 'itwain_32.dll' + - 'itwain.dll' + - 'iwinhlp32.exe' + - 'iwrite.exe' + - 'ifveupdate.exe' + - 'itwunk_16.exe' + - 'itwunk_32.exe' \ No newline at end of file diff --git a/rules/mft/sup_script_exec_windows_temp_mft.yml b/rules/mft/sup_script_exec_windows_temp_mft.yml new file mode 100644 index 00000000..077ed10c --- /dev/null +++ b/rules/mft/sup_script_exec_windows_temp_mft.yml @@ -0,0 +1,118 @@ +--- +title: Suspicious Script or Executable Location - Windows Temp +group: MFT +description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity. +authors: + - Reece394 + + +kind: mft +level: low +status: stable +timestamp: StandardInfoCreated + + +fields: + - name: FileNamePath + to: FullPath + - name: StandardInfoLastModified0x10 + to: StandardInfoLastModified + - name: StandardInfoLastAccess0x10 + to: StandardInfoLastAccess + - name: FileNameCreated0x30 + to: FileNameCreated + - name: FileNameLastModified0x30 + to: FileNameLastModified + - name: FileNameLastAccess0x30 + to: FileNameLastAccess + - name: FileSize + to: FileSize + - name: IsADirectory + to: IsADirectory + - name: IsDeleted + to: IsDeleted + - name: HasAlternateDataStreams + to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams + +filter: + condition: sup and directory + + sup: + FullPath: + - 'i*.bat' + - 'i*.cmd' + - 'i*.cpl' + - 'i*.ex' + - 'i*.ex_' + - 'i*.exe' + - 'i*.jse' + - 'i*.msc' + - 'i*.ps1' + - 'i*.ps1xml' + - 'i*.ps2' + - 'i*.ps2xml' + - 'i*.psc1' + - 'i*.psc2' + - 'i*.msh' + - 'i*.msh1' + - 'i*.msh2' + - 'i*.mshxml' + - 'i*.msh1xml' + - 'i*.msh2xml' + - 'i*.reg' + - 'i*.vb' + - 'i*.vbe' + - 'i*.ws' + - 'i*.wsf' + - 'i*.wsc' + - 'i*.hta' + - 'i*.vbs' + - 'i*.com' + - 'i*.dll' + - 'i*.sys' + - 'i*.isu' + - 'i*.scr' + - 'i*.mst' + - 'i*.job' + - 'i*.paf' + - 'i*.sct' + - 'i*.gadget' + - 'i*.pif' + - 'i*.shb' + - 'i*.vbscript' + - 'i*.inf' + - 'i*.inf1' + - 'i*.shs' + - 'i*.bin' + - 'i*.ins' + - 'i*.u3p' + - 'i*.wsh' + - 'i*.inx' + - 'i*.js' + - 'i*.msi' + - 'i*.msp' + - 'i*.rgs' + - 'i*.sh' + - 'i*.run' + - 'i*.jar' + - 'i*.py' + - 'i*.py3' + - 'i*.pyc' + - 'i*.pyo' + - 'i*.pyw' + - 'i*.pyx' + - 'i*.pyd' + - 'i*.pxd' + - 'i*.pyi' + - 'i*.pyz' + - 'i*.pl' + - 'i*.rb' + - 'i*.ocx' + - 'i*.scf' + - 'i*.lnk' + + directory: + FullPath: + - 'iWindows/Temp/*' \ No newline at end of file diff --git a/rules/mft/systeminformer_mft.yml b/rules/mft/systeminformer_mft.yml index 78b6f23d..27071449 100644 --- a/rules/mft/systeminformer_mft.yml +++ b/rules/mft/systeminformer_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: si and (si_1 or si_2 or si_3 or si_4) diff --git a/rules/mft/winscp_mft.yml b/rules/mft/winscp_mft.yml index 750d2874..6b1bec4a 100644 --- a/rules/mft/winscp_mft.yml +++ b/rules/mft/winscp_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: winscp and (winscp_1 or winscp_2 or winscp_3) diff --git a/rules/mft/xenallpasswordpro_mft.yml b/rules/mft/xenallpasswordpro_mft.yml index e706df2c..ed8bba9b 100644 --- a/rules/mft/xenallpasswordpro_mft.yml +++ b/rules/mft/xenallpasswordpro_mft.yml @@ -33,6 +33,8 @@ fields: to: IsDeleted - name: HasAlternateDataStreams to: HasAlternateDataStreams + - name: DataStreams + to: DataStreams filter: condition: (xenallpasswordpro and xenallpasswordpro_ext) or (xenallpasswordpro_1 and xenallpasswordpro_2) or (xenallpasswordpro_3)