diff --git a/sigma/builtin/process_creation/proc_creation_win_schtasks_env_folder.yml b/sigma/builtin/process_creation/proc_creation_win_schtasks_env_folder.yml index 678200444..3c9e0aa0e 100644 --- a/sigma/builtin/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/sigma/builtin/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -1,4 +1,4 @@ -title: Suspicious Schtasks From Env Var Folder +title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE id: 4e18ea92-76c9-f5f4-1980-ea4c976954af related: - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline @@ -10,9 +10,10 @@ description: Detects Schtask creations that point to a suspicious folder or an e references: - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 + - https://blog.talosintelligence.com/gophish-powerrat-dcrat/ author: Florian Roth (Nextron Systems) date: 2022-02-21 -modified: 2023-11-30 +modified: 2024-10-28 tags: - attack.execution - attack.t1053.005 @@ -23,38 +24,40 @@ detection: process_creation: EventID: 4688 Channel: Security - selection1_create: + selection_1_create: CommandLine|contains: ' /create ' NewProcessName|endswith: \schtasks.exe - selection1_all_folders: + selection_1_all_folders: CommandLine|contains: - :\Perflogs + - :\Users\All Users\ + - :\Users\Default\ + - :\Users\Public - :\Windows\Temp - \AppData\Local\ - \AppData\Roaming\ - - \Users\Public - '%AppData%' - '%Public%' - selection2_parent: + selection_2_parent: ParentCommandLine|endswith: \svchost.exe -k netsvcs -p -s Schedule - selection2_some_folders: + selection_2_some_folders: CommandLine|contains: - :\Perflogs - :\Windows\Temp - \Users\Public - '%Public%' - filter_mixed: - - CommandLine|contains: - - update_task.xml - - /Create /TN TVInstallRestore /TR + filter_optional_other: - ParentCommandLine|contains: unattended.ini - filter_avira_install: + - CommandLine|contains: update_task.xml + filter_optional_team_viewer: + CommandLine|contains: /Create /TN TVInstallRestore /TR + filter_optional_avira_install: # Comment out this filter if you dont use AVIRA CommandLine|contains|all: - /Create /Xml "C:\Users\ - \AppData\Local\Temp\.CR. - Avira_Security_Installation.xml - filter_avira_other: + filter_optional_avira_other: # Comment out this filter if you dont use AVIRA CommandLine|contains|all: - /Create /F /TN @@ -66,12 +69,12 @@ detection: - .tmp\WatchdogServiceControlManagerTimeout.xml - .tmp\SystrayAutostart.xml - .tmp\MaintenanceTask.xml - filter_klite_codec: + filter_optional_klite_codec: CommandLine|contains|all: - \AppData\Local\Temp\ - '/Create /TN "klcp_update" /XML ' - \klcp_update_task.xml - condition: process_creation and (( all of selection1* or all of selection2* ) and not 1 of filter*) + condition: process_creation and (( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_*) falsepositives: - Benign scheduled tasks creations or executions that happen often during software installations - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders diff --git a/sigma/builtin/threat-hunting/security/win_security_file_access_browser_credential.yml b/sigma/builtin/threat-hunting/security/win_security_file_access_browser_credential.yml new file mode 100644 index 000000000..7b2d53735 --- /dev/null +++ b/sigma/builtin/threat-hunting/security/win_security_file_access_browser_credential.yml @@ -0,0 +1,61 @@ +title: Access To Browser Credential Files By Uncommon Applications - Security +id: 7619b716-8052-6323-d9c7-87923ef591e6 +related: + - id: 91cb43db-302a-47e3-b3c8-7ede481e27bf + type: similar + - id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65 + type: derived +status: experimental +description: | + Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage. +references: + - https://ipurple.team/2024/09/10/browser-stored-credentials/ +author: Daniel Koifman (@Koifsec), Nasreddine Bencherchali +date: 2024-10-21 +tags: + - attack.credential-access + - attack.t1555.003 + - detection.threat-hunting +logsource: + product: windows + service: security + definition: 'Requirements: Audit File System subcategory must be enabled. Additionally, each listed ObjectName must have "List folder/read data" auditing enabled.' +detection: + security: + Channel: Security + selection_eid: + EventID: 4663 + ObjectType: File + # Note: This AccessMask requires enhancements. As this access can be combined with other requests. It should include all possible outcomes where READ access and similar are part of it. + AccessMask: '0x1' + selection_browser_chromium: + ObjectName|contains: + - \User Data\Default\Login Data + - \User Data\Local State + - \User Data\Default\Network\Cookies + selection_browser_firefox: + FileName|endswith: + - \cookies.sqlite + - \places.sqlite + - release\key3.db # Firefox + - release\key4.db # Firefox + - release\logins.json # Firefox + filter_main_system: + ProcessName: System + filter_main_generic: + # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application + ProcessName|startswith: + - C:\Program Files (x86)\ + - C:\Program Files\ + - C:\Windows\system32\ + - C:\Windows\SysWOW64\ + filter_optional_defender: + ProcessName|startswith: C:\ProgramData\Microsoft\Windows Defender\ + ProcessName|endswith: + - \MpCopyAccelerator.exe + - \MsMpEng.exe + condition: security and (selection_eid and 1 of selection_browser_* and not 1 of filter_main_* and not 1 of filter_optional_*) +falsepositives: + - Unknown +level: low +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_schtasks_env_folder.yml b/sigma/sysmon/process_creation/proc_creation_win_schtasks_env_folder.yml index 360f0c953..7cdfc93af 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -1,4 +1,4 @@ -title: Suspicious Schtasks From Env Var Folder +title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE id: b924f48e-7962-6bf7-2d54-33233aa67b1b related: - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline @@ -10,9 +10,10 @@ description: Detects Schtask creations that point to a suspicious folder or an e references: - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/ - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 + - https://blog.talosintelligence.com/gophish-powerrat-dcrat/ author: Florian Roth (Nextron Systems) date: 2022-02-21 -modified: 2023-11-30 +modified: 2024-10-28 tags: - attack.execution - attack.t1053.005 @@ -24,38 +25,40 @@ detection: process_creation: EventID: 1 Channel: Microsoft-Windows-Sysmon/Operational - selection1_create: + selection_1_create: Image|endswith: \schtasks.exe CommandLine|contains: ' /create ' - selection1_all_folders: + selection_1_all_folders: CommandLine|contains: - :\Perflogs + - :\Users\All Users\ + - :\Users\Default\ + - :\Users\Public - :\Windows\Temp - \AppData\Local\ - \AppData\Roaming\ - - \Users\Public - '%AppData%' - '%Public%' - selection2_parent: + selection_2_parent: ParentCommandLine|endswith: \svchost.exe -k netsvcs -p -s Schedule - selection2_some_folders: + selection_2_some_folders: CommandLine|contains: - :\Perflogs - :\Windows\Temp - \Users\Public - '%Public%' - filter_mixed: - - CommandLine|contains: - - update_task.xml - - /Create /TN TVInstallRestore /TR + filter_optional_other: - ParentCommandLine|contains: unattended.ini - filter_avira_install: + - CommandLine|contains: update_task.xml + filter_optional_team_viewer: + CommandLine|contains: /Create /TN TVInstallRestore /TR + filter_optional_avira_install: # Comment out this filter if you dont use AVIRA CommandLine|contains|all: - /Create /Xml "C:\Users\ - \AppData\Local\Temp\.CR. - Avira_Security_Installation.xml - filter_avira_other: + filter_optional_avira_other: # Comment out this filter if you dont use AVIRA CommandLine|contains|all: - /Create /F /TN @@ -67,12 +70,12 @@ detection: - .tmp\WatchdogServiceControlManagerTimeout.xml - .tmp\SystrayAutostart.xml - .tmp\MaintenanceTask.xml - filter_klite_codec: + filter_optional_klite_codec: CommandLine|contains|all: - \AppData\Local\Temp\ - '/Create /TN "klcp_update" /XML ' - \klcp_update_task.xml - condition: process_creation and (( all of selection1* or all of selection2* ) and not 1 of filter*) + condition: process_creation and (( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_*) falsepositives: - Benign scheduled tasks creations or executions that happen often during software installations - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders