diff --git a/sigma/builtin/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml b/sigma/builtin/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml index adbae802b..a94b7514a 100644 --- a/sigma/builtin/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml +++ b/sigma/builtin/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp) date: 2022/01/13 -modified: 2023/10/11 +modified: 2023/11/14 tags: - attack.defense_evasion - attack.t1218.011 @@ -56,9 +56,6 @@ detection: - C:\Windows\Installer\MSI - .tmp - zzzzInvokeManagedCustomActionOutOfProc - CommandLine|contains: - - Avira.OE.Setup - - FindOldJetBrainsProduct condition: process_creation and (selection and not 1 of filter_*) fields: - NewProcessName diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_eventlog_content_recon.yml b/sigma/builtin/process_creation/proc_creation_win_susp_eventlog_content_recon.yml new file mode 100644 index 000000000..0180286f3 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_susp_eventlog_content_recon.yml @@ -0,0 +1,79 @@ +title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities +id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf +related: + - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f + type: derived +status: experimental +description: 'Detects execution of different log query utilities to search and dump + the content of specific event logs or look for specific event IDs. + + ' +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a + - https://www.group-ib.com/blog/apt41-world-tour-2021/ + - https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1 + - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2022/09/09 +modified: 2023/11/20 +tags: + - attack.credential_access + - attack.discovery + - attack.t1552 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_wmi: + CommandLine|contains|all: + - Select + - Win32_NTLogEvent + selection_wevtutil_img: + - NewProcessName|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe + selection_wevtutil_cli: + CommandLine|contains: + - ' qe ' + - ' query-events ' + selection_wmic_img: + - NewProcessName|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe + selection_wmic_cli: + CommandLine|contains: ' ntevent' + selection_cmdlet: + CommandLine|contains: + - 'Get-WinEvent ' + - 'get-eventlog ' + selection_logs_name: + CommandLine|contains: + - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational + - Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational + - Security + selection_logs_eid: + CommandLine|contains: + - -InstanceId 4624 + - System[EventID=4624] + - EventCode=?4624? + - EventIdentifier=?4624? + - -InstanceId 4778 + - System[EventID=4778] + - EventCode=?4778? + - EventIdentifier=?4778? + - -InstanceId 25 + - System[EventID=25] + - EventCode=?25? + - EventIdentifier=?25? + condition: process_creation and (1 of selection_logs_* and (selection_wmi or all + of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)) +falsepositives: + - Legitimate usage of the utility by administrators to query the event log +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_wevtutil_recon.yml b/sigma/builtin/process_creation/proc_creation_win_wevtutil_recon.yml deleted file mode 100644 index ccdcb4e52..000000000 --- a/sigma/builtin/process_creation/proc_creation_win_wevtutil_recon.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Potential Recon Activity Using Wevtutil -id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf -status: experimental -description: Detects usage of the wevtutil utility to perform reconnaissance -references: - - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html -author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 -modified: 2023/01/18 -tags: - - attack.discovery -logsource: - category: process_creation - product: windows -detection: - process_creation: - EventID: 4688 - Channel: Security - selection_cli: - CommandLine|contains: - - ' qe ' - - ' query-events ' - NewProcessName|endswith: \wevtutil.exe - selection_logs: - CommandLine|contains: - - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational - - Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational - - Security - condition: process_creation and (all of selection_*) -falsepositives: - - Legitimate usage of the utility by administrators to query the event log -level: medium -ruletype: Sigma diff --git a/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml b/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml index 8ebb30bd1..d03fdd2cd 100644 --- a/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml +++ b/sigma/builtin/registry/registry_set/registry_set_disable_function_user.yml @@ -7,9 +7,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html -author: frack113, Nasreddine Bencherchali + - https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage + - https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl +author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec date: 2022/03/18 -modified: 2023/08/17 +modified: 2023/11/20 tags: - attack.defense_evasion - attack.t1112 @@ -22,21 +24,23 @@ detection: Channel: Security selection_set_1: TargetObject|endswith: + - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff + - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword + - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools - - SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr + - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage + - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL - SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter - - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword - - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation - - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff + - SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD Details: DWORD (0x00000001) selection_set_0: TargetObject|endswith: - - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin + - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon - SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled - - \SYSTEM\CurrentControlSet\Control\Storage\Write Protection - - \SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect + - SYSTEM\CurrentControlSet\Control\Storage\Write Protection + - SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect Details: DWORD (0x00000000) condition: registry_set and (1 of selection_set_*) falsepositives: diff --git a/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml new file mode 100644 index 000000000..1ff0c8b56 --- /dev/null +++ b/sigma/builtin/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml @@ -0,0 +1,55 @@ +title: EventLog Query Requests By Builtin Utilities +id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f +related: + - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf + type: derived +status: experimental +description: 'Detect attempts to query the contents of the event log using command + line utilities. Attackers use this technique in order to look for sensitive information + in the logs such as passwords, usernames, IPs, etc. + + ' +references: + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1 + - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil +author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/20 +tags: + - attack.t1552 + - attack.credential_access + - detection.threat_hunting +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_wmi: + CommandLine|contains|all: + - Select + - Win32_NTLogEvent + selection_wevtutil_img: + - NewProcessName|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe + selection_wevtutil_cli: + CommandLine|contains: + - ' qe ' + - ' query-events ' + selection_wmic_img: + - NewProcessName|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe + selection_wmic_cli: + CommandLine|contains: ' ntevent' + selection_cmdlet: + CommandLine|contains: + - 'Get-WinEvent ' + - 'get-eventlog ' + condition: process_creation and (selection_wmi or all of selection_wevtutil_* + or all of selection_wmic_* or selection_cmdlet) +falsepositives: + - Legitimate log access by administrators or troubleshooting tools +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/dns_query/dns_query_win_devtunnels_communication.yml b/sigma/sysmon/dns_query/dns_query_win_devtunnels_communication.yml new file mode 100644 index 000000000..0f243b099 --- /dev/null +++ b/sigma/sysmon/dns_query/dns_query_win_devtunnels_communication.yml @@ -0,0 +1,39 @@ +title: DNS Query To Devtunnels Domain +id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b +related: + - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 + type: similar + - id: 4b657234-038e-4ad5-997c-4be42340bce4 + type: similar + - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 + type: similar +status: experimental +description: 'Detects DNS query requests to Devtunnels domains. Attackers can abuse + that feature to establish a reverse shell or persistence on a machine. + + ' +references: + - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 + - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security + - https://cydefops.com/devtunnels-unleashed +author: citron_ninja +date: 2023/10/25 +modified: 2023/11/20 +tags: + - attack.command_and_control + - attack.t1071.001 + - sysmon +logsource: + category: dns_query + product: windows +detection: + dns_query: + EventID: 22 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + QueryName|endswith: .devtunnels.ms + condition: dns_query and selection +falsepositives: + - Legitimate use of Devtunnels will also trigger this. +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/dns_query/dns_query_win_vscode_tunnel_communication.yml b/sigma/sysmon/dns_query/dns_query_win_vscode_tunnel_communication.yml index 0e1f1b41b..66f50f215 100644 --- a/sigma/sysmon/dns_query/dns_query_win_vscode_tunnel_communication.yml +++ b/sigma/sysmon/dns_query/dns_query_win_vscode_tunnel_communication.yml @@ -1,17 +1,24 @@ -title: DNS Query To Devtunnels And VsCode Tunnels +title: DNS Query To Visual Studio Code Tunnels Domain id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 +related: + - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 + type: similar + - id: 4b657234-038e-4ad5-997c-4be42340bce4 + type: similar + - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b + type: similar status: experimental -description: 'Detects DNS query to Devtunnels and Visual Studio Code tunnel domains. - Attackers can be abuse these features to establish a reverse shell. +description: 'Detects DNS query requests to Visual Studio Code tunnel domains. Attackers + can abuse that feature to establish a reverse shell or persistence on a machine. ' references: - https://ipfyx.fr/post/visual-studio-code-tunnel/ - https://badoption.eu/blog/2023/01/31/code_c2.html - - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 - - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security + - https://cydefops.com/vscode-data-exfiltration author: citron_ninja date: 2023/10/25 +modified: 2023/11/20 tags: - attack.command_and_control - attack.t1071.001 @@ -24,11 +31,9 @@ detection: EventID: 22 Channel: Microsoft-Windows-Sysmon/Operational selection: - QueryName|endswith: - - .tunnels.api.visualstudio.com - - .devtunnels.ms + QueryName|endswith: .tunnels.api.visualstudio.com condition: dns_query and selection falsepositives: - - Legitimate use of Visual Studio Code tunnel will also trigger this + - Legitimate use of Visual Studio Code tunnel will also trigger this. level: medium ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_devtunnel_connection.yml b/sigma/sysmon/network_connection/net_connection_win_devtunnel_connection.yml new file mode 100644 index 000000000..4f25f45a1 --- /dev/null +++ b/sigma/sysmon/network_connection/net_connection_win_devtunnel_connection.yml @@ -0,0 +1,40 @@ +title: Network Connection Initiated To DevTunnels Domain +id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 +related: + - id: 4b657234-038e-4ad5-997c-4be42340bce4 + type: similar + - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 + type: similar + - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b + type: similar +status: experimental +description: 'Detects network connections to Devtunnels domains initiated by a process + on a system. Attackers can abuse that feature to establish a reverse shell or + persistence on a machine. + + ' +references: + - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2 + - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security + - https://cydefops.com/devtunnels-unleashed +author: Kamran Saifullah +date: 2023/11/20 +tags: + - attack.exfiltration + - attack.t1567.001 + - sysmon +logsource: + category: network_connection + product: windows +detection: + network_connection: + EventID: 3 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + Initiated: 'true' + DestinationHostname|endswith: .devtunnels.ms + condition: network_connection and selection +falsepositives: + - Legitimate use of Devtunnels will also trigger this. +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/network_connection/net_connection_win_vscode_tunnel_connection.yml b/sigma/sysmon/network_connection/net_connection_win_vscode_tunnel_connection.yml new file mode 100644 index 000000000..3de1a0f85 --- /dev/null +++ b/sigma/sysmon/network_connection/net_connection_win_vscode_tunnel_connection.yml @@ -0,0 +1,40 @@ +title: Network Connection Initiated To Visual Studio Code Tunnels Domain +id: 4b657234-038e-4ad5-997c-4be42340bce4 +related: + - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 + type: similar + - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 + type: similar + - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b + type: similar +status: experimental +description: 'Detects network connections to Visual Studio Code tunnel domains initiated + by a process on a system. Attackers can abuse that feature to establish a reverse + shell or persistence on a machine. + + ' +references: + - https://ipfyx.fr/post/visual-studio-code-tunnel/ + - https://badoption.eu/blog/2023/01/31/code_c2.html + - https://cydefops.com/vscode-data-exfiltration +author: Kamran Saifullah +date: 2023/11/20 +tags: + - attack.exfiltration + - attack.t1567.001 + - sysmon +logsource: + category: network_connection + product: windows +detection: + network_connection: + EventID: 3 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + Initiated: 'true' + DestinationHostname|endswith: .tunnels.api.visualstudio.com + condition: network_connection and selection +falsepositives: + - Legitimate use of Visual Studio Code tunnel will also trigger this. +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml b/sigma/sysmon/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml index 77cbef7ef..be359ec31 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp) date: 2022/01/13 -modified: 2023/10/11 +modified: 2023/11/14 tags: - attack.defense_evasion - attack.t1218.011 @@ -57,9 +57,6 @@ detection: - C:\Windows\Installer\MSI - .tmp - zzzzInvokeManagedCustomActionOutOfProc - CommandLine|contains: - - Avira.OE.Setup - - FindOldJetBrainsProduct condition: process_creation and (selection and not 1 of filter_*) fields: - Image diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_eventlog_content_recon.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_eventlog_content_recon.yml new file mode 100644 index 000000000..64cc58b55 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_eventlog_content_recon.yml @@ -0,0 +1,80 @@ +title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities +id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf +related: + - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f + type: derived +status: experimental +description: 'Detects execution of different log query utilities to search and dump + the content of specific event logs or look for specific event IDs. + + ' +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a + - https://www.group-ib.com/blog/apt41-world-tour-2021/ + - https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1 + - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2022/09/09 +modified: 2023/11/20 +tags: + - attack.credential_access + - attack.discovery + - attack.t1552 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_wmi: + CommandLine|contains|all: + - Select + - Win32_NTLogEvent + selection_wevtutil_img: + - Image|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe + selection_wevtutil_cli: + CommandLine|contains: + - ' qe ' + - ' query-events ' + selection_wmic_img: + - Image|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe + selection_wmic_cli: + CommandLine|contains: ' ntevent' + selection_cmdlet: + CommandLine|contains: + - 'Get-WinEvent ' + - 'get-eventlog ' + selection_logs_name: + CommandLine|contains: + - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational + - Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational + - Security + selection_logs_eid: + CommandLine|contains: + - -InstanceId 4624 + - System[EventID=4624] + - EventCode=?4624? + - EventIdentifier=?4624? + - -InstanceId 4778 + - System[EventID=4778] + - EventCode=?4778? + - EventIdentifier=?4778? + - -InstanceId 25 + - System[EventID=25] + - EventCode=?25? + - EventIdentifier=?25? + condition: process_creation and (1 of selection_logs_* and (selection_wmi or all + of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)) +falsepositives: + - Legitimate usage of the utility by administrators to query the event log +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_wevtutil_recon.yml b/sigma/sysmon/process_creation/proc_creation_win_wevtutil_recon.yml deleted file mode 100644 index 8e066f792..000000000 --- a/sigma/sysmon/process_creation/proc_creation_win_wevtutil_recon.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Potential Recon Activity Using Wevtutil -id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf -status: experimental -description: Detects usage of the wevtutil utility to perform reconnaissance -references: - - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html -author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 -modified: 2023/01/18 -tags: - - attack.discovery - - sysmon -logsource: - category: process_creation - product: windows -detection: - process_creation: - EventID: 1 - Channel: Microsoft-Windows-Sysmon/Operational - selection_cli: - Image|endswith: \wevtutil.exe - CommandLine|contains: - - ' qe ' - - ' query-events ' - selection_logs: - CommandLine|contains: - - Microsoft-Windows-TerminalServices-LocalSessionManager/Operational - - Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational - - Security - condition: process_creation and (all of selection_*) -falsepositives: - - Legitimate usage of the utility by administrators to query the event log -level: medium -ruletype: Sigma diff --git a/sigma/sysmon/registry/registry_set/registry_set_disable_function_user.yml b/sigma/sysmon/registry/registry_set/registry_set_disable_function_user.yml index bba85a999..3bee9c1fa 100644 --- a/sigma/sysmon/registry/registry_set/registry_set_disable_function_user.yml +++ b/sigma/sysmon/registry/registry_set/registry_set_disable_function_user.yml @@ -7,9 +7,11 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html -author: frack113, Nasreddine Bencherchali + - https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage + - https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl +author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec date: 2022/03/18 -modified: 2023/08/17 +modified: 2023/11/20 tags: - attack.defense_evasion - attack.t1112 @@ -23,21 +25,23 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection_set_1: TargetObject|endswith: + - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff + - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword + - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools - - SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr + - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage + - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL - SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter - - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword - - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation - - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff + - SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD Details: DWORD (0x00000001) selection_set_0: TargetObject|endswith: - - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin + - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon - SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled - - \SYSTEM\CurrentControlSet\Control\Storage\Write Protection - - \SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect + - SYSTEM\CurrentControlSet\Control\Storage\Write Protection + - SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect Details: DWORD (0x00000000) condition: registry_set and (1 of selection_set_*) falsepositives: diff --git a/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml new file mode 100644 index 000000000..65d888497 --- /dev/null +++ b/sigma/sysmon/threat-hunting/process_creation/proc_creation_win_susp_event_log_query.yml @@ -0,0 +1,56 @@ +title: EventLog Query Requests By Builtin Utilities +id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f +related: + - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf + type: derived +status: experimental +description: 'Detect attempts to query the contents of the event log using command + line utilities. Attackers use this technique in order to look for sensitive information + in the logs such as passwords, usernames, IPs, etc. + + ' +references: + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1 + - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil +author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/20 +tags: + - attack.t1552 + - attack.credential_access + - detection.threat_hunting + - sysmon +logsource: + product: windows + category: process_creation +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_wmi: + CommandLine|contains|all: + - Select + - Win32_NTLogEvent + selection_wevtutil_img: + - Image|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe + selection_wevtutil_cli: + CommandLine|contains: + - ' qe ' + - ' query-events ' + selection_wmic_img: + - Image|endswith: \wevtutil.exe + - OriginalFileName: wevtutil.exe + selection_wmic_cli: + CommandLine|contains: ' ntevent' + selection_cmdlet: + CommandLine|contains: + - 'Get-WinEvent ' + - 'get-eventlog ' + condition: process_creation and (selection_wmi or all of selection_wevtutil_* + or all of selection_wmic_* or selection_cmdlet) +falsepositives: + - Legitimate log access by administrators or troubleshooting tools +level: medium +ruletype: Sigma