Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add DataStreams Field to MFT Rules and Add Part 1 Rules for Suspicious Script and Executable Locations #212

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 10 additions & 4 deletions rules/mft/adamntds_dit_mft.yml
Original file line number Diff line number Diff line change
@@ -33,9 +33,11 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: (adamntds and adamntds_1) and not adamntds_2
condition: (adamntds and adamntds_1) and not (adamntds_2 or adamntds_3)

adamntds:
FullPath:
@@ -47,6 +49,10 @@ filter:

adamntds_2:
FullPath:
- 'iProgram Files\Microsoft ADAM\*'
- 'iWindows\WinSxS*'
- 'iWindows\servicing\LCU\*'
- 'iProgram Files/Microsoft ADAM/*'
- 'iWindows/WinSxS*'
- 'iWindows/servicing/LCU/*'

adamntds_3:
FileSize:
- 55
2 changes: 2 additions & 0 deletions rules/mft/advanced_ip_scanner_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: ais and (ais_1 or ais_2 or ais_3 or ais_4)
2 changes: 2 additions & 0 deletions rules/mft/advanced_port_scanner_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: aps and (aps_1 or aps_2 or aps_3 or aps_4)
2 changes: 2 additions & 0 deletions rules/mft/angry_ip_scanner_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: ais and (ais_1 or ais_2 or ais_3 or ais_4)
2 changes: 2 additions & 0 deletions rules/mft/anydesk_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: anydesk and (anydesk_1 or anydesk_2 or anydesk_3 or anydesk_4 or anydesk_5 or anydesk_6)
2 changes: 2 additions & 0 deletions rules/mft/browserscan_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: (browserscan and browserscan_loot) or (browserscan_1 and browserscan_2)
2 changes: 2 additions & 0 deletions rules/mft/filezilla_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: filezilla and (filezilla_1 or filezilla_2 or filezilla_3 or filezilla_4)
2 changes: 2 additions & 0 deletions rules/mft/lsass_dmp_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: lsass and (lsass_1 or lsass_2)
2 changes: 2 additions & 0 deletions rules/mft/megasync_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: ms and (ms_1 or ms_2 or ms_3)
2 changes: 2 additions & 0 deletions rules/mft/mimikatz_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: mimikatz
2 changes: 2 additions & 0 deletions rules/mft/netscan_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: netscan and (netscan_1 or netscan_2 or netscan_3)
2 changes: 2 additions & 0 deletions rules/mft/nirsoft_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: nirsoft and (nirsoft_1 or nirsoft_2 or nirsoft_3)
16 changes: 11 additions & 5 deletions rules/mft/ntds_dit_mft.yml
Original file line number Diff line number Diff line change
@@ -33,9 +33,11 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: (ntds and ntds_1) and not ntds_2
condition: (ntds and ntds_1) and not (ntds_2 or ntds_3)

ntds:
FullPath:
@@ -47,7 +49,11 @@ filter:

ntds_2:
FullPath:
- 'iWindows\NTDS\NTDS.dit'
- 'iWindows\WinSxS*'
- 'iWindows\servicing\LCU\*'
- 'i*adamntds.dit*'
- 'iWindows/NTDS/NTDS.dit'
- 'iWindows/WinSxS*'
- 'iWindows/servicing/LCU/*'
- 'i*adamntds.dit*'

ntds_3:
FileSize:
- 55
2 changes: 2 additions & 0 deletions rules/mft/processhacker_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: ph and (ph_1 or ph_2 or ph_3 or ph_4)
2 changes: 2 additions & 0 deletions rules/mft/psexec_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: psexec or (key_1 and key_2)
2 changes: 2 additions & 0 deletions rules/mft/pstools_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: pstools or (pstools_1 and pstools_2)
2 changes: 2 additions & 0 deletions rules/mft/rclone_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: rclone or (rclone_1 and rclone_2)
2 changes: 2 additions & 0 deletions rules/mft/rubeus_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: rubeus
2 changes: 2 additions & 0 deletions rules/mft/shadow_dumper_mft.yml
Original file line number Diff line number Diff line change
@@ -33,6 +33,8 @@ fields:
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: shadowdumper
118 changes: 118 additions & 0 deletions rules/mft/sup_script_exec_intel_mft.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
---
title: Suspicious Script or Executable Location - Intel
group: MFT
description: Suspicious Script or Executable in a different location than standard. Potential Threat Actor Activity.
authors:
- Reece394


kind: mft
level: low
status: stable
timestamp: StandardInfoCreated


fields:
- name: FileNamePath
to: FullPath
- name: StandardInfoLastModified0x10
to: StandardInfoLastModified
- name: StandardInfoLastAccess0x10
to: StandardInfoLastAccess
- name: FileNameCreated0x30
to: FileNameCreated
- name: FileNameLastModified0x30
to: FileNameLastModified
- name: FileNameLastAccess0x30
to: FileNameLastAccess
- name: FileSize
to: FileSize
- name: IsADirectory
to: IsADirectory
- name: IsDeleted
to: IsDeleted
- name: HasAlternateDataStreams
to: HasAlternateDataStreams
- name: DataStreams
to: DataStreams

filter:
condition: sup and directory

sup:
FullPath:
- 'i*.bat'
- 'i*.cmd'
- 'i*.cpl'
- 'i*.ex'
- 'i*.ex_'
- 'i*.exe'
- 'i*.jse'
- 'i*.msc'
- 'i*.ps1'
- 'i*.ps1xml'
- 'i*.ps2'
- 'i*.ps2xml'
- 'i*.psc1'
- 'i*.psc2'
- 'i*.msh'
- 'i*.msh1'
- 'i*.msh2'
- 'i*.mshxml'
- 'i*.msh1xml'
- 'i*.msh2xml'
- 'i*.reg'
- 'i*.vb'
- 'i*.vbe'
- 'i*.ws'
- 'i*.wsf'
- 'i*.wsc'
- 'i*.hta'
- 'i*.vbs'
- 'i*.com'
- 'i*.dll'
- 'i*.sys'
- 'i*.isu'
- 'i*.scr'
- 'i*.mst'
- 'i*.job'
- 'i*.paf'
- 'i*.sct'
- 'i*.gadget'
- 'i*.pif'
- 'i*.shb'
- 'i*.vbscript'
- 'i*.inf'
- 'i*.inf1'
- 'i*.shs'
- 'i*.bin'
- 'i*.ins'
- 'i*.u3p'
- 'i*.wsh'
- 'i*.inx'
- 'i*.js'
- 'i*.msi'
- 'i*.msp'
- 'i*.rgs'
- 'i*.sh'
- 'i*.run'
- 'i*.jar'
- 'i*.py'
- 'i*.py3'
- 'i*.pyc'
- 'i*.pyo'
- 'i*.pyw'
- 'i*.pyx'
- 'i*.pyd'
- 'i*.pxd'
- 'i*.pyi'
- 'i*.pyz'
- 'i*.pl'
- 'i*.rb'
- 'i*.ocx'
- 'i*.scf'
- 'i*.lnk'

directory:
FullPath:
- 'iIntel/*'
Loading