From de2447af298aaaaca4ca4e6817ec9d669d9144ba Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 4 Dec 2023 20:07:22 +0000 Subject: [PATCH] Sigma Rule Update (2023-12-04 20:07:16) (#543) Co-authored-by: hach1yon --- .../powershell_script/posh_ps_hktl_winpwn.yml | 54 ++++++++ .../proc_creation_win_hktl_impacket_tools.yml | 2 +- .../proc_creation_win_hktl_winpeas.yml | 6 +- .../proc_creation_win_hktl_winpwn.yml | 50 +++++++ ...in_susp_hiding_malware_in_fonts_folder.yml | 4 - ...in_susp_homoglyph_cyrillic_lookalikes.yml} | 0 ...ess_win_lazagne_cred_dump_lsass_access.yml | 0 .../proc_access_win_lsass_susp_access.yml} | 4 +- ...ss_win_pypykatz_cred_dump_lsass_access.yml | 0 ..._access_win_malware_verclsid_shellcode.yml | 16 ++- ...c_access_win_cmstp_execution_by_access.yml | 4 - ...tl_cobaltstrike_bof_injection_pattern.yml} | 4 +- .../proc_access_win_hktl_generic_access.yml | 116 ++++++++++++++++ ...cess_win_hktl_handlekatz_lsass_access.yml} | 6 +- ..._hktl_littlecorporal_generated_maldoc.yml} | 4 +- ...ml => proc_access_win_hktl_sysmonente.yml} | 29 ++-- ...proc_access_win_lsass_dump_comsvcs_dll.yml | 6 +- ...c_access_win_lsass_dump_keyword_image.yml} | 7 +- .../proc_access_win_lsass_memdump.yml | 46 +++++-- ...roc_access_win_lsass_python_based_tool.yml | 43 ++++++ ..._win_lsass_remote_access_trough_winrm.yml} | 14 +- ...proc_access_win_lsass_seclogon_access.yml} | 6 +- ...proc_access_win_lsass_susp_access_flag.yml | 128 ++++++++++++++++++ ...access_win_lsass_uncommon_access_flag.yml} | 24 ++-- .../proc_access_win_lsass_werfault.yml | 4 +- ...s_win_lsass_whitelisted_process_names.yml} | 11 +- ...access_win_shellcode_inject_msf_empire.yml | 60 -------- ...win_susp_direct_syscall_ntopenprocess.yml} | 80 +++++------ ...oc_access_win_susp_invoke_patchingapi.yml} | 13 +- ...proc_access_win_susp_proc_access_lsass.yml | 107 --------------- ...oc_access_win_susp_shellcode_injection.yml | 60 ++++++++ ...access_win_svchost_credential_dumping.yml} | 22 +-- ...ccess_win_svchost_susp_access_request.yml} | 14 +- ...n_uac_bypass_editionupgrademanagerobj.yml} | 15 +- .../proc_creation_win_hktl_impacket_tools.yml | 2 +- .../proc_creation_win_hktl_winpeas.yml | 6 +- .../proc_creation_win_hktl_winpwn.yml | 51 +++++++ ...in_susp_hiding_malware_in_fonts_folder.yml | 4 - ...in_susp_homoglyph_cyrillic_lookalikes.yml} | 0 ...proc_tampering_susp_process_hollowing.yml} | 30 +--- ...susp_disk_access_using_uncommon_tools.yml} | 48 +++---- ...oc_access_win_lsass_powershell_access.yml} | 8 +- ..._access_win_lsass_susp_source_process.yml} | 45 +++--- 43 files changed, 725 insertions(+), 428 deletions(-) create mode 100644 sigma/builtin/powershell/powershell_script/posh_ps_hktl_winpwn.yml create mode 100644 sigma/builtin/process_creation/proc_creation_win_hktl_winpwn.yml rename sigma/builtin/process_creation/{proc_creation_win_homoglyph_cyrillic_lookalikes.yml => proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml} (100%) rename sigma/sysmon/{process_access => deprecated}/proc_access_win_lazagne_cred_dump_lsass_access.yml (100%) rename sigma/sysmon/{process_access/proc_access_win_cred_dump_lsass_access.yml => deprecated/proc_access_win_lsass_susp_access.yml} (99%) rename sigma/sysmon/{process_access => deprecated}/proc_access_win_pypykatz_cred_dump_lsass_access.yml (100%) rename sigma/sysmon/{process_access => emerging-threats/2017/Malware/Hancitor}/proc_access_win_malware_verclsid_shellcode.yml (64%) rename sigma/sysmon/process_access/{proc_access_win_cobaltstrike_bof_injection_pattern.yml => proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml} (92%) create mode 100644 sigma/sysmon/process_access/proc_access_win_hktl_generic_access.yml rename sigma/sysmon/process_access/{proc_access_win_handlekatz_lsass_access.yml => proc_access_win_hktl_handlekatz_lsass_access.yml} (87%) rename sigma/sysmon/process_access/{proc_access_win_littlecorporal_generated_maldoc.yml => proc_access_win_hktl_littlecorporal_generated_maldoc.yml} (90%) rename sigma/sysmon/process_access/{proc_access_win_hack_sysmonente.yml => proc_access_win_hktl_sysmonente.yml} (58%) rename sigma/sysmon/process_access/{proc_access_win_lsass_memdump_indicators.yml => proc_access_win_lsass_dump_keyword_image.yml} (86%) create mode 100644 sigma/sysmon/process_access/proc_access_win_lsass_python_based_tool.yml rename sigma/sysmon/process_access/{proc_access_win_mimikatz_trough_winrm.yml => proc_access_win_lsass_remote_access_trough_winrm.yml} (63%) rename sigma/sysmon/process_access/{proc_access_win_susp_seclogon.yml => proc_access_win_lsass_seclogon_access.yml} (88%) create mode 100644 sigma/sysmon/process_access/proc_access_win_lsass_susp_access_flag.yml rename sigma/sysmon/process_access/{proc_access_win_rare_proc_access_lsass.yml => proc_access_win_lsass_uncommon_access_flag.yml} (93%) rename sigma/sysmon/process_access/{proc_access_win_lsass_memdump_evasion.yml => proc_access_win_lsass_whitelisted_process_names.yml} (84%) delete mode 100644 sigma/sysmon/process_access/proc_access_win_shellcode_inject_msf_empire.yml rename sigma/sysmon/process_access/{proc_access_win_direct_syscall_ntopenprocess.yml => proc_access_win_susp_direct_syscall_ntopenprocess.yml} (51%) rename sigma/sysmon/process_access/{proc_access_win_invoke_patchingapi.yml => proc_access_win_susp_invoke_patchingapi.yml} (87%) delete mode 100644 sigma/sysmon/process_access/proc_access_win_susp_proc_access_lsass.yml create mode 100644 sigma/sysmon/process_access/proc_access_win_susp_shellcode_injection.yml rename sigma/sysmon/process_access/{proc_access_win_svchost_cred_dump.yml => proc_access_win_svchost_credential_dumping.yml} (51%) rename sigma/sysmon/process_access/{proc_access_win_invoke_phantom.yml => proc_access_win_svchost_susp_access_request.yml} (70%) rename sigma/sysmon/process_access/{proc_access_win_load_undocumented_autoelevated_com_interface.yml => proc_access_win_uac_bypass_editionupgrademanagerobj.yml} (72%) create mode 100644 sigma/sysmon/process_creation/proc_creation_win_hktl_winpwn.yml rename sigma/sysmon/process_creation/{proc_creation_win_homoglyph_cyrillic_lookalikes.yml => proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml} (100%) rename sigma/sysmon/process_tampering/{proc_tampering_process_hollowing.yml => proc_tampering_susp_process_hollowing.yml} (58%) rename sigma/sysmon/raw_access_thread/{raw_access_thread_disk_access_using_illegitimate_tools.yml => raw_access_thread_susp_disk_access_using_uncommon_tools.yml} (62%) rename sigma/sysmon/{process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml => threat-hunting/process_access/proc_access_win_lsass_powershell_access.yml} (80%) rename sigma/sysmon/{process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml => threat-hunting/process_access/proc_access_win_lsass_susp_source_process.yml} (80%) diff --git a/sigma/builtin/powershell/powershell_script/posh_ps_hktl_winpwn.yml b/sigma/builtin/powershell/powershell_script/posh_ps_hktl_winpwn.yml new file mode 100644 index 000000000..d5a5d52da --- /dev/null +++ b/sigma/builtin/powershell/powershell_script/posh_ps_hktl_winpwn.yml @@ -0,0 +1,54 @@ +title: HackTool - WinPwn Execution - ScriptBlock +id: 851fd622-b675-4d26-b803-14bc7baa517a +related: + - id: d557dc06-62e8-4468-a8e8-7984124908ce + type: similar +status: experimental +description: 'Detects scriptblock text keywords indicative of potential usge of the + tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. + + ' +author: Swachchhanda Shrawan Poudel +date: 2023/12/04 +references: + - https://github.com/S3cur3Th1sSh1t/WinPwn + - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841 + - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/ + - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md + - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team +tags: + - attack.credential_access + - attack.defense_evasion + - attack.discovery + - attack.execution + - attack.privilege_escalation + - attack.t1046 + - attack.t1082 + - attack.t1106 + - attack.t1518 + - attack.t1548.002 + - attack.t1552.001 + - attack.t1555 + - attack.t1555.003 +logsource: + category: ps_script + product: windows + definition: 'Requirements: Script Block Logging must be enabled' +detection: + ps_script: + EventID: 4104 + Channel: + - Microsoft-Windows-PowerShell/Operational + - PowerShellCore/Operational + selection: + ScriptBlockText|contains: + - Offline_Winpwn + - 'WinPwn ' + - WinPwn.exe + - WinPwn.ps1 + condition: ps_script and selection +falsepositives: + - As the script block is a blob of text. False positive may occur with scripts + that contain the keyword as a reference or simply use it for detection. +level: high +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_impacket_tools.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_impacket_tools.yml index a3f1eb1af..817c32347 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_impacket_tools.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_impacket_tools.yml @@ -52,8 +52,8 @@ detection: - \sambaPipe_windows.exe - \smbclient_windows.exe - \smbserver_windows.exe - - \sniffer_windows.exe - \sniff_windows.exe + - \sniffer_windows.exe - \split_windows.exe - \ticketer_windows.exe condition: process_creation and selection diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_winpeas.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_winpeas.yml index 03041c984..89a4d4f4d 100644 --- a/sigma/builtin/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_winpeas.yml @@ -24,12 +24,12 @@ detection: selection_img: - OriginalFileName: winPEAS.exe - NewProcessName|endswith: - - \winPEASany.exe - \winPEASany_ofs.exe - - \winPEASx64.exe + - \winPEASany.exe - \winPEASx64_ofs.exe - - \winPEASx86.exe + - \winPEASx64.exe - \winPEASx86_ofs.exe + - \winPEASx86.exe selection_cli_option: CommandLine|contains: - ' applicationsinfo' diff --git a/sigma/builtin/process_creation/proc_creation_win_hktl_winpwn.yml b/sigma/builtin/process_creation/proc_creation_win_hktl_winpwn.yml new file mode 100644 index 000000000..a6b13fb2e --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_hktl_winpwn.yml @@ -0,0 +1,50 @@ +title: HackTool - WinPwn Execution +id: d557dc06-62e8-4468-a8e8-7984124908ce +related: + - id: 851fd622-b675-4d26-b803-14bc7baa517a + type: similar +status: experimental +description: 'Detects commandline keywords indicative of potential usge of the tool + WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. + + ' +author: Swachchhanda Shrawan Poudel +date: 2023/12/04 +references: + - https://github.com/S3cur3Th1sSh1t/WinPwn + - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841 + - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/ + - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md + - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team +tags: + - attack.credential_access + - attack.defense_evasion + - attack.discovery + - attack.execution + - attack.privilege_escalation + - attack.t1046 + - attack.t1082 + - attack.t1106 + - attack.t1518 + - attack.t1548.002 + - attack.t1552.001 + - attack.t1555 + - attack.t1555.003 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + CommandLine|contains: + - Offline_Winpwn + - 'WinPwn ' + - WinPwn.exe + - WinPwn.ps1 + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml b/sigma/builtin/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml index 90ad7afeb..61b7387b0 100644 --- a/sigma/builtin/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml +++ b/sigma/builtin/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml @@ -52,10 +52,6 @@ detection: - .msi - .vbs condition: process_creation and (all of selection_*) -fields: - - CommandLine - - ParentProcess - - CommandLine falsepositives: - Unknown level: medium diff --git a/sigma/builtin/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml b/sigma/builtin/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml similarity index 100% rename from sigma/builtin/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml rename to sigma/builtin/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml diff --git a/sigma/sysmon/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml b/sigma/sysmon/deprecated/proc_access_win_lazagne_cred_dump_lsass_access.yml similarity index 100% rename from sigma/sysmon/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml rename to sigma/sysmon/deprecated/proc_access_win_lazagne_cred_dump_lsass_access.yml diff --git a/sigma/sysmon/process_access/proc_access_win_cred_dump_lsass_access.yml b/sigma/sysmon/deprecated/proc_access_win_lsass_susp_access.yml similarity index 99% rename from sigma/sysmon/process_access/proc_access_win_cred_dump_lsass_access.yml rename to sigma/sysmon/deprecated/proc_access_win_lsass_susp_access.yml index 2642dc6cb..ecb5a9220 100644 --- a/sigma/sysmon/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/sigma/sysmon/deprecated/proc_access_win_lsass_susp_access.yml @@ -1,6 +1,6 @@ title: Credential Dumping Tools Accessing LSASS Memory id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d -status: experimental +status: deprecated description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools references: @@ -12,7 +12,7 @@ author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, T Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community date: 2017/02/16 -modified: 2023/03/22 +modified: 2023/11/30 tags: - attack.credential_access - attack.t1003.001 diff --git a/sigma/sysmon/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml b/sigma/sysmon/deprecated/proc_access_win_pypykatz_cred_dump_lsass_access.yml similarity index 100% rename from sigma/sysmon/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml rename to sigma/sysmon/deprecated/proc_access_win_pypykatz_cred_dump_lsass_access.yml diff --git a/sigma/sysmon/process_access/proc_access_win_malware_verclsid_shellcode.yml b/sigma/sysmon/emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml similarity index 64% rename from sigma/sysmon/process_access/proc_access_win_malware_verclsid_shellcode.yml rename to sigma/sysmon/emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml index 6c1cbafd6..7f259b5b8 100644 --- a/sigma/sysmon/process_access/proc_access_win_malware_verclsid_shellcode.yml +++ b/sigma/sysmon/emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml @@ -12,28 +12,30 @@ tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 + - detection.emerging_threats - sysmon logsource: category: process_access product: windows - definition: 'Use the following config to generate the necessary Event ID 10 Process - Access events: VBE7.DLLUNKNOWN' + definition: 'Requirements: The following config is required to generate the necessary + Event ID 10 Process Access events: VBE7.DLLUNKNOWN' detection: process_access: EventID: 10 Channel: Microsoft-Windows-Sysmon/Operational - selection: + selection_target: TargetImage|endswith: \verclsid.exe GrantedAccess: '0x1FFFFF' - combination1: + selection_calltrace_1: CallTrace|contains|all: - '|UNKNOWN(' - VBE7.DLL - combination2: + selection_calltrace_2: SourceImage|contains: \Microsoft Office\ CallTrace|contains: '|UNKNOWN' - condition: process_access and (selection and 1 of combination*) + condition: process_access and (selection_target and 1 of selection_calltrace_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_access/proc_access_win_cmstp_execution_by_access.yml b/sigma/sysmon/process_access/proc_access_win_cmstp_execution_by_access.yml index dfae00052..9c2cb9907 100644 --- a/sigma/sysmon/process_access/proc_access_win_cmstp_execution_by_access.yml +++ b/sigma/sysmon/process_access/proc_access_win_cmstp_execution_by_access.yml @@ -27,10 +27,6 @@ detection: selection: CallTrace|contains: cmlua.dll condition: process_access and selection -fields: - - CommandLine - - ParentCommandLine - - Details falsepositives: - Legitimate CMSTP use (unlikely in modern enterprise environments) level: high diff --git a/sigma/sysmon/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml b/sigma/sysmon/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml similarity index 92% rename from sigma/sysmon/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml rename to sigma/sysmon/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml index 4759f0888..a932f1631 100644 --- a/sigma/sysmon/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml +++ b/sigma/sysmon/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml @@ -1,4 +1,4 @@ -title: CobaltStrike BOF Injection Pattern +title: HackTool - CobaltStrike BOF Injection Pattern id: 09706624-b7f6-455d-9d02-adee024cee1d status: test description: Detects a typical pattern of a CobaltStrike BOF which inject into other @@ -8,7 +8,7 @@ references: - https://github.com/boku7/spawn author: Christian Burkard (Nextron Systems) date: 2021/08/04 -modified: 2022/12/31 +modified: 2023/11/28 tags: - attack.execution - attack.t1106 diff --git a/sigma/sysmon/process_access/proc_access_win_hktl_generic_access.yml b/sigma/sysmon/process_access/proc_access_win_hktl_generic_access.yml new file mode 100644 index 000000000..0c7ff6969 --- /dev/null +++ b/sigma/sysmon/process_access/proc_access_win_hktl_generic_access.yml @@ -0,0 +1,116 @@ +title: HackTool - Generic Process Access +id: d0d2f720-d14f-448d-8242-51ff396a334e +status: experimental +description: Detects process access requests from hacktool processes based on their + default image name +references: + - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158 + - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html +author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +date: 2023/11/27 +tags: + - attack.credential_access + - attack.t1003.001 + - attack.s0002 + - sysmon +logsource: + category: process_access + product: windows +detection: + process_access: + EventID: 10 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + - SourceImage|endswith: + - \Akagi.exe + - \Akagi64.exe + - \atexec_windows.exe + - \Certify.exe + - \Certipy.exe + - \CoercedPotato.exe + - \crackmapexec.exe + - \CreateMiniDump.exe + - \dcomexec_windows.exe + - \dpapi_windows.exe + - \findDelegation_windows.exe + - \GetADUsers_windows.exe + - \GetNPUsers_windows.exe + - \getPac_windows.exe + - \getST_windows.exe + - \getTGT_windows.exe + - \GetUserSPNs_windows.exe + - \gmer.exe + - \hashcat.exe + - \htran.exe + - \ifmap_windows.exe + - \impersonate.exe + - \Inveigh.exe + - \LocalPotato.exe + - \mimikatz_windows.exe + - \mimikatz.exe + - \netview_windows.exe + - \nmapAnswerMachine_windows.exe + - \opdump_windows.exe + - \PasswordDump.exe + - \Potato.exe + - \PowerTool.exe + - \PowerTool64.exe + - \psexec_windows.exe + - \PurpleSharp.exe + - \pypykatz.exe + - \QuarksPwDump.exe + - \rdp_check_windows.exe + - \Rubeus.exe + - \SafetyKatz.exe + - \sambaPipe_windows.exe + - \SelectMyParent.exe + - \SharpChisel.exe + - \SharPersist.exe + - \SharpEvtMute.exe + - \SharpImpersonation.exe + - \SharpLDAPmonitor.exe + - \SharpLdapWhoami.exe + - \SharpUp.exe + - \SharpView.exe + - \smbclient_windows.exe + - \smbserver_windows.exe + - \sniff_windows.exe + - \sniffer_windows.exe + - \split_windows.exe + - \SpoolSample.exe + - \Stracciatella.exe + - \SysmonEOP.exe + - \temp\rot.exe + - \ticketer_windows.exe + - \TruffleSnout.exe + - \winPEASany_ofs.exe + - \winPEASany.exe + - \winPEASx64_ofs.exe + - \winPEASx64.exe + - \winPEASx86_ofs.exe + - \winPEASx86.exe + - \xordump.exe + - SourceImage|contains: + - \goldenPac + - \just_dce_ + - \karmaSMB + - \kintercept + - \LocalPotato + - \ntlmrelayx + - \rpcdump + - \samrdump + - \secretsdump + - \smbexec + - \smbrelayx + - \wmiexec + - \wmipersist + - HotPotato + - Juicy Potato + - JuicyPotato + - PetitPotam + - RottenPotato + condition: process_access and selection +falsepositives: + - Unlikely +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_access/proc_access_win_handlekatz_lsass_access.yml b/sigma/sysmon/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml similarity index 87% rename from sigma/sysmon/process_access/proc_access_win_handlekatz_lsass_access.yml rename to sigma/sysmon/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml index 4d92c0b49..cdeec0f44 100644 --- a/sigma/sysmon/process_access/proc_access_win_handlekatz_lsass_access.yml +++ b/sigma/sysmon/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml @@ -1,4 +1,4 @@ -title: HandleKatz Duplicating LSASS Handle +title: HackTool - HandleKatz Duplicating LSASS Handle id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5 status: test description: Detects HandleKatz opening LSASS to duplicate its handle to later dump @@ -7,6 +7,7 @@ references: - https://github.com/codewhitesec/HandleKatz author: Bhabesh Raj (rule), @thefLinkk date: 2022/06/27 +modified: 2023/11/28 tags: - attack.execution - attack.t1106 @@ -23,11 +24,10 @@ detection: selection: TargetImage|endswith: \lsass.exe GrantedAccess: '0x1440' - call_trace: CallTrace|startswith: C:\Windows\System32\ntdll.dll+ CallTrace|contains: '|UNKNOWN(' CallTrace|endswith: ) - condition: process_access and (selection and call_trace) + condition: process_access and selection falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_access/proc_access_win_littlecorporal_generated_maldoc.yml b/sigma/sysmon/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml similarity index 90% rename from sigma/sysmon/process_access/proc_access_win_littlecorporal_generated_maldoc.yml rename to sigma/sysmon/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml index ab5ef3366..850b2a3e9 100644 --- a/sigma/sysmon/process_access/proc_access_win_littlecorporal_generated_maldoc.yml +++ b/sigma/sysmon/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml @@ -1,4 +1,4 @@ -title: LittleCorporal Generated Maldoc Injection +title: HackTool - LittleCorporal Generated Maldoc Injection id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac status: test description: Detects the process injection of a LittleCorporal generated Maldoc. @@ -6,7 +6,7 @@ references: - https://github.com/connormcgarr/LittleCorporal author: Christian Burkard (Nextron Systems) date: 2021/08/09 -modified: 2022/06/02 +modified: 2023/11/28 tags: - attack.execution - attack.t1204.002 diff --git a/sigma/sysmon/process_access/proc_access_win_hack_sysmonente.yml b/sigma/sysmon/process_access/proc_access_win_hktl_sysmonente.yml similarity index 58% rename from sigma/sysmon/process_access/proc_access_win_hack_sysmonente.yml rename to sigma/sysmon/process_access/proc_access_win_hktl_sysmonente.yml index 6743b3d7f..1a995e81d 100644 --- a/sigma/sysmon/process_access/proc_access_win_hack_sysmonente.yml +++ b/sigma/sysmon/process_access/proc_access_win_hktl_sysmonente.yml @@ -1,4 +1,4 @@ -title: SysmonEnte Usage +title: HackTool - SysmonEnte Execution id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e status: test description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon @@ -8,7 +8,7 @@ references: - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png author: Florian Roth (Nextron Systems) date: 2022/09/07 -modified: 2022/09/09 +modified: 2023/11/28 tags: - attack.defense_evasion - attack.t1562.002 @@ -20,19 +20,24 @@ detection: process_access: EventID: 10 Channel: Microsoft-Windows-Sysmon/Operational - selection_1: - TargetImage: C:\Windows\Sysmon64.exe + selection_sysmon: + TargetImage|contains: + - :\Windows\Sysmon.exe + - :\Windows\Sysmon64.exe GrantedAccess: '0x1400' - filter_1: - SourceImage|startswith: - - C:\Program Files - - C:\Windows\System32\ - filter_msdefender: - SourceImage|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\ - SourceImage|endswith: \MsMpEng.exe selection_calltrace: CallTrace: Ente - condition: process_access and (( selection_1 and not 1 of filter_* ) or selection_calltrace) + filter_main_generic: + SourceImage|contains: + - :\Program Files (x86)\ + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ + filter_main_msdefender: + SourceImage|contains: :\ProgramData\Microsoft\Windows Defender\Platform\ + SourceImage|endswith: \MsMpEng.exe + condition: process_access and (( selection_sysmon and not 1 of filter_main_* ) + or selection_calltrace) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml b/sigma/sysmon/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml index 167e04b47..f0dade521 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml @@ -8,7 +8,7 @@ references: - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/20 -modified: 2022/10/09 +modified: 2023/11/29 tags: - attack.credential_access - attack.t1003.001 @@ -22,10 +22,10 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: TargetImage|endswith: \lsass.exe - SourceImage: C:\Windows\System32\rundll32.exe + SourceImage|endswith: \rundll32.exe CallTrace|contains: comsvcs.dll condition: process_access and selection falsepositives: - Unknown -level: critical +level: high ruletype: Sigma diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_memdump_indicators.yml b/sigma/sysmon/process_access/proc_access_win_lsass_dump_keyword_image.yml similarity index 86% rename from sigma/sysmon/process_access/proc_access_win_lsass_memdump_indicators.yml rename to sigma/sysmon/process_access/proc_access_win_lsass_dump_keyword_image.yml index 850925f24..f2fdfd09d 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_memdump_indicators.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_dump_keyword_image.yml @@ -1,13 +1,14 @@ -title: LSASS Memory Access by Tool Named Dump +title: LSASS Memory Access by Tool With Dump Keyword In Name id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3 status: test -description: Detects a possible process memory dump based on a keyword in the file - name of the accessing process +description: Detects LSASS process access requests from a source process with the + "dump" keyword in its image name. references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz author: Florian Roth (Nextron Systems) date: 2022/02/10 +modified: 2023/11/29 tags: - attack.credential_access - attack.t1003.001 diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_memdump.yml b/sigma/sysmon/process_access/proc_access_win_lsass_memdump.yml index eb7b9fb01..d39571e3e 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_memdump.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_memdump.yml @@ -1,9 +1,13 @@ -title: LSASS Memory Dump +title: Credential Dumping Activity Via Lsass id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da -status: test -description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, - Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll - or dbgcore.dll for win10, server2016 and up. +status: experimental +description: 'Detects process access requests to the LSASS process with specific call + trace calls and access masks. + + This behaviour is expressed by many credential dumping tools such as Mimikatz, + NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature. + + ' references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -11,7 +15,7 @@ references: - https://research.splunk.com/endpoint/windows_possible_credential_dumping/ author: Samir Bousseaden, Michael Haag date: 2019/04/03 -modified: 2022/09/29 +modified: 2023/11/29 tags: - attack.credential_access - attack.t1003.001 @@ -28,22 +32,36 @@ detection: TargetImage|endswith: \lsass.exe GrantedAccess|contains: - '0x1038' - - '0x1438' - '0x143a' + - '0x1438' + - '0x1000' + - '0x01000' + - '0x1010' + - '0x1400' + - '0x1410' + - '0x1fffff' + - '0x40' CallTrace|contains: - - dbghelp.dll - dbgcore.dll + - dbghelp.dll + - kernel32.dll + - kernelbase.dll - ntdll.dll - filter_thor: + filter_main_system_user: + SourceUser|contains: + - AUTHORI + - AUTORI + filter_optional_thor: CallTrace|contains|all: - - '|C:\Windows\Temp\asgard2-agent\' + - :\Windows\Temp\asgard2-agent\ - \thor\thor64.exe+ - '|UNKNOWN(' GrantedAccess: '0x103800' - filter_sysmon: - SourceImage: C:\Windows\Sysmon64.exe - condition: process_access and (selection and not 1 of filter*) + filter_optional_sysmon: + SourceImage|endswith: :\Windows\Sysmon64.exe + condition: process_access and (selection and not 1 of filter_main_* and not 1 + of filter_optional_*) falsepositives: - - False positives are present when looking for 0x1410. Exclusions may be required. + - Unknown level: high ruletype: Sigma diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_python_based_tool.yml b/sigma/sysmon/process_access/proc_access_win_lsass_python_based_tool.yml new file mode 100644 index 000000000..a32c62960 --- /dev/null +++ b/sigma/sysmon/process_access/proc_access_win_lsass_python_based_tool.yml @@ -0,0 +1,43 @@ +title: Credential Dumping Activity By Python Based Tool +id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9 +related: + - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0 + type: obsoletes + - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b + type: obsoletes +status: stable +description: Detects LSASS process access for potential credential dumping by a Python-like + tool such as LaZagne or Pypykatz. +references: + - https://twitter.com/bh4b3sh/status/1303674603819081728 + - https://github.com/skelsec/pypykatz +author: Bhabesh Raj, Jonhnathan Ribeiro +date: 2023/11/27 +modified: 2023/11/29 +tags: + - attack.credential_access + - attack.t1003.001 + - attack.s0349 + - sysmon +logsource: + category: process_access + product: windows +detection: + process_access: + EventID: 10 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + TargetImage|endswith: \lsass.exe + CallTrace|contains|all: + - _ctypes.pyd+ + - :\Windows\System32\KERNELBASE.dll+ + - :\Windows\SYSTEM32\ntdll.dll+ + CallTrace|contains: + - python27.dll+ + - python3*.dll+ + GrantedAccess: '0x1FFFFF' + condition: process_access and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_access/proc_access_win_mimikatz_trough_winrm.yml b/sigma/sysmon/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml similarity index 63% rename from sigma/sysmon/process_access/proc_access_win_mimikatz_trough_winrm.yml rename to sigma/sysmon/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml index 0b2354961..ffc45dca4 100644 --- a/sigma/sysmon/process_access/proc_access_win_mimikatz_trough_winrm.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml @@ -1,13 +1,13 @@ -title: Mimikatz through Windows Remote Management +title: Remote LSASS Process Access Through Windows Remote Management id: aa35a627-33fb-4d04-a165-d33b4afca3e8 status: stable -description: Detects usage of mimikatz through WinRM protocol by monitoring access - to lsass process by wsmprovhost.exe. +description: Detects remote access to the LSASS process via WinRM. This could be a + sign of credential dumping from tools like mimikatz. references: - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ author: Patryk Prauze - ING Tech date: 2019/05/20 -modified: 2021/06/21 +modified: 2023/11/29 tags: - attack.credential_access - attack.execution @@ -26,10 +26,10 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: TargetImage|endswith: \lsass.exe - SourceImage: C:\Windows\system32\wsmprovhost.exe - filter: + SourceImage|endswith: :\Windows\system32\wsmprovhost.exe + filter_main_access: GrantedAccess: '0x80000000' - condition: process_access and (selection and not filter) + condition: process_access and (selection and not 1 of filter_main_*) falsepositives: - Unlikely level: high diff --git a/sigma/sysmon/process_access/proc_access_win_susp_seclogon.yml b/sigma/sysmon/process_access/proc_access_win_lsass_seclogon_access.yml similarity index 88% rename from sigma/sysmon/process_access/proc_access_win_susp_seclogon.yml rename to sigma/sysmon/process_access/proc_access_win_lsass_seclogon_access.yml index b44554d32..45a81725e 100644 --- a/sigma/sysmon/process_access/proc_access_win_susp_seclogon.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_seclogon_access.yml @@ -1,12 +1,14 @@ title: Suspicious LSASS Access Via MalSecLogon id: 472159c5-31b9-4f56-b794-b766faa8b0a7 status: test -description: Detects suspicious access to Lsass handle via a call trace to "seclogon.dll" +description: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" + with a suspicious access right. references: - https://twitter.com/SBousseaden/status/1541920424635912196 - https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html -author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma) +author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron + Systems) date: 2022/06/29 tags: - attack.credential_access diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_susp_access_flag.yml b/sigma/sysmon/process_access/proc_access_win_lsass_susp_access_flag.yml new file mode 100644 index 000000000..7faeda008 --- /dev/null +++ b/sigma/sysmon/process_access/proc_access_win_lsass_susp_access_flag.yml @@ -0,0 +1,128 @@ +title: Potentially Suspicious GrantedAccess Flags On LSASS +id: a18dd26b-6450-46de-8c91-9659150cf088 +related: + - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d + type: similar +status: experimental +description: Detects process access requests to LSASS process with potentially suspicious + access flags +references: + - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights + - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow + - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment + - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas + Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, + oscd.community +date: 2021/11/22 +modified: 2023/11/29 +tags: + - attack.credential_access + - attack.t1003.001 + - attack.s0002 + - sysmon +logsource: + category: process_access + product: windows +detection: + process_access: + EventID: 10 + Channel: Microsoft-Windows-Sysmon/Operational + selection_target: + TargetImage|endswith: \lsass.exe + selection_access: + - GrantedAccess|endswith: + - '30' + - '50' + - '70' + - '90' + - B0 + - D0 + - F0 + - '18' + - '38' + - '58' + - '78' + - '98' + - B8 + - D8 + - F8 + - 1A + - 3A + - 5A + - 7A + - 9A + - BA + - DA + - FA + - '0x14C2' + - GrantedAccess|startswith: + - '0x100000' + - '0x1418' + - '0x1438' + - '0x143a' + - '0x1f0fff' + - '0x1f1fff' + - '0x1f2fff' + - '0x1f3fff' + - '0x40' + filter_main_generic: + SourceImage|contains: + - :\Program Files (x86)\ + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ + filter_optional_malwarebytes: + SourceImage|endswith: :\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe + filter_optional_vscode: + SourceImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe + filter_main_windefend_1: + SourceImage|contains: :\ProgramData\Microsoft\Windows Defender\ + SourceImage|endswith: \MsMpEng.exe + filter_main_windefend_2: + CallTrace|contains|all: + - '|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{' + - '}\mpengine.dll+' + GrantedAccess: '0x1418' + filter_main_windefend_3: + CallTrace|contains: + - '|c:\program files\windows defender\mprtp.dll' + - '|c:\program files\windows defender\MpClient.dll' + filter_optional_vmwaretools: + SourceImage|contains: :\ProgramData\VMware\VMware Tools\ + SourceImage|endswith: \vmtoolsd.exe + filter_optional_sysinternals_process_explorer: + SourceImage|endswith: + - \PROCEXP64.EXE + - \PROCEXP.EXE + GrantedAccess: '0x40' + filter_optional_mbami: + SourceImage|endswith: \MBAMInstallerService.exe + GrantedAccess: '0x40' + filter_optional_nextron: + SourceImage|endswith: + - \aurora-agent-64.exe + - \aurora-agent.exe + - \thor.exe + - \thor64.exe + GrantedAccess: '0x40' + filter_main_explorer: + SourceImage|endswith: \explorer.exe + GrantedAccess: '0x401' + filter_optional_sysinternals_handle: + SourceImage|endswith: + - \handle.exe + - \handle64.exe + GrantedAccess: '0x40' + filter_optional_webex: + SourceImage|endswith: \AppData\Local\WebEx\WebexHost.exe + GrantedAccess: '0x401' + filter_optional_steam_apps: + SourceImage|contains: \SteamLibrary\steamapps\ + condition: process_access and (all of selection_* and not 1 of filter_main_* and + not 1 of filter_optional_*) +falsepositives: + - Legitimate software such as AV and EDR +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_access/proc_access_win_rare_proc_access_lsass.yml b/sigma/sysmon/process_access/proc_access_win_lsass_uncommon_access_flag.yml similarity index 93% rename from sigma/sysmon/process_access/proc_access_win_rare_proc_access_lsass.yml rename to sigma/sysmon/process_access/proc_access_win_lsass_uncommon_access_flag.yml index 00b909231..3b747012a 100644 --- a/sigma/sysmon/process_access/proc_access_win_rare_proc_access_lsass.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_uncommon_access_flag.yml @@ -1,11 +1,11 @@ -title: Rare GrantedAccess Flags on LSASS Access +title: Uncommon GrantedAccess Flags On LSASS id: 678dfc63-fefb-47a5-a04c-26bcf8cc9f65 related: - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d type: obsoletes status: test -description: Detects process access to LSASS memory with suspicious access flags 0x410 - and 0x01410 (spin-off of similar rule) +description: Detects process access to LSASS memory with uncommon access flags 0x410 + and 0x01410 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -14,7 +14,7 @@ references: - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth (Nextron Systems) date: 2022/03/13 -modified: 2022/11/13 +modified: 2023/11/30 tags: - attack.credential_access - attack.t1003.001 @@ -32,18 +32,18 @@ detection: GrantedAccess|endswith: '10' filter1: SourceImage: - - C:\WINDOWS\system32\taskmgr.exe + - C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe - C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe - - C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe - - C:\WINDOWS\system32\taskhostw.exe - C:\Program Files\Windows Defender\MsMpEng.exe - - C:\Windows\SysWOW64\msiexec.exe - - C:\Windows\System32\msiexec.exe + - C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe - C:\Windows\System32\lsass.exe + - C:\Windows\System32\msiexec.exe - C:\WINDOWS\System32\perfmon.exe + - C:\WINDOWS\system32\taskhostw.exe + - C:\WINDOWS\system32\taskmgr.exe - C:\WINDOWS\system32\wbem\wmiprvse.exe + - C:\Windows\SysWOW64\msiexec.exe - C:\Windows\sysWOW64\wbem\wmiprvse.exe - - C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe filter2: SourceImage|startswith: C:\ProgramData\Microsoft\Windows Defender\ SourceImage|endswith: \MsMpEng.exe @@ -101,10 +101,6 @@ detection: - '0x410' - '0x10' condition: process_access and (selection and not 1 of filter*) -fields: - - User - - SourceImage - - GrantedAccess falsepositives: - Legitimate software accessing LSASS process for legitimate reason level: medium diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_werfault.yml b/sigma/sysmon/process_access/proc_access_win_lsass_werfault.yml index 9aa654fe5..e4c87abd6 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_werfault.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_werfault.yml @@ -1,4 +1,4 @@ -title: WerFault Accassing LSASS +title: Credential Dumping Attempt Via WerFault id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7 status: test description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, @@ -8,7 +8,7 @@ references: - https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507 author: Florian Roth (Nextron Systems) date: 2012/06/27 -modified: 2022/10/09 +modified: 2023/11/29 tags: - attack.credential_access - attack.t1003.001 diff --git a/sigma/sysmon/process_access/proc_access_win_lsass_memdump_evasion.yml b/sigma/sysmon/process_access/proc_access_win_lsass_whitelisted_process_names.yml similarity index 84% rename from sigma/sysmon/process_access/proc_access_win_lsass_memdump_evasion.yml rename to sigma/sysmon/process_access/proc_access_win_lsass_whitelisted_process_names.yml index c4a81cfc2..334394515 100644 --- a/sigma/sysmon/process_access/proc_access_win_lsass_memdump_evasion.yml +++ b/sigma/sysmon/process_access/proc_access_win_lsass_whitelisted_process_names.yml @@ -1,15 +1,18 @@ -title: LSASS Access from White-Listed Processes +title: LSASS Access From Potentially White-Listed Processes id: 4be8b654-0c01-4c9d-a10c-6b28467fc651 status: test -description: Detects a possible process memory dump that uses the white-listed filename - like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft +description: 'Detects a possible process memory dump that uses a white-listed filename + like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference + + ' references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz - https://twitter.com/mrd0x/status/1460597833917251595 author: Florian Roth (Nextron Systems) date: 2022/02/10 +modified: 2023/11/29 tags: - attack.credential_access - attack.t1003.001 @@ -57,6 +60,6 @@ detection: - FF condition: process_access and selection falsepositives: - - Unlikely, since these tools shouldn't access lsass.exe at all + - Unknown level: high ruletype: Sigma diff --git a/sigma/sysmon/process_access/proc_access_win_shellcode_inject_msf_empire.yml b/sigma/sysmon/process_access/proc_access_win_shellcode_inject_msf_empire.yml deleted file mode 100644 index 17870868a..000000000 --- a/sigma/sysmon/process_access/proc_access_win_shellcode_inject_msf_empire.yml +++ /dev/null @@ -1,60 +0,0 @@ -title: Potential Shellcode Injection -id: 250ae82f-736e-4844-a68b-0b5e8cc887da -status: test -description: Detects potential shellcode injection used by tools such as Metasploit's - migrate and Empire's psinject -author: Bhabesh Raj -date: 2022/03/11 -modified: 2023/10/17 -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 - - sysmon -logsource: - category: process_access - product: windows -detection: - process_access: - EventID: 10 - Channel: Microsoft-Windows-Sysmon/Operational - selection: - GrantedAccess: - - '0x147a' - - '0x1f3fff' - CallTrace|contains: UNKNOWN - filter_dell_folders: - SourceImage|startswith: - - C:\Program Files\Dell\ - - C:\Program Files (x86)\Dell\ - TargetImage|startswith: - - C:\Program Files\Dell\ - - C:\Program Files (x86)\Dell\ - GrantedAccess: '0x1F3FFF' - CallTrace|startswith: C:\Windows\System32\ntdll.dll - filter_dell_specifc: - SourceImage: C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe - TargetImage: C:\Windows\Explorer.EXE - GrantedAccess: '0x1F3FFF' - CallTrace|startswith: C:\Windows\System32\ntdll.dll - filter_visual_studio: - SourceImage: - - C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PerfWatson2.exe - - C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PerfWatson2.exe - TargetImage: - - C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe - - C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe - CallTrace|startswith: C:\Windows\System32\ntdll.dll - filter_ddvdatacollector: - SourceImage|startswith: C:\Program Files\Microsoft Visual Studio\ - SourceImage|endswith: \MSBuild\Current\Bin\MSBuild.exe - TargetImage: C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe - filter_wmiprvese: - SourceImage: C:\Windows\System32\Wbem\Wmiprvse.exe - TargetImage: C:\Windows\system32\lsass.exe - CallTrace|startswith: C:\Windows\SYSTEM32\ntdll.dll - condition: process_access and (selection and not 1 of filter_*) -falsepositives: - - Unknown -level: high -ruletype: Sigma diff --git a/sigma/sysmon/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/sigma/sysmon/process_access/proc_access_win_susp_direct_syscall_ntopenprocess.yml similarity index 51% rename from sigma/sysmon/process_access/proc_access_win_direct_syscall_ntopenprocess.yml rename to sigma/sysmon/process_access/proc_access_win_susp_direct_syscall_ntopenprocess.yml index 246703f26..938ceeff3 100644 --- a/sigma/sysmon/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/sigma/sysmon/process_access/proc_access_win_susp_direct_syscall_ntopenprocess.yml @@ -5,9 +5,9 @@ description: Detects the usage of the direct syscall of NtOpenProcess which migh be done from a CobaltStrike BOF. references: - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 -author: Christian Burkard (Nextron Systems), Tim Shelton +author: Christian Burkard (Nextron Systems), Tim Shelton (FP) date: 2021/07/28 -modified: 2023/10/11 +modified: 2023/11/27 tags: - attack.execution - attack.t1106 @@ -21,68 +21,52 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: CallTrace|startswith: UNKNOWN - filter_main_1: - TargetImage|endswith: :\Program Files\Cylance\Desktop\CylanceUI.exe - SourceImage|endswith: :\Windows\Explorer.EXE - filter_main_2: - TargetImage|endswith: :\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe - SourceImage|contains: :\Program Files (x86)\Microsoft\Temp\ - SourceImage|endswith: \MicrosoftEdgeUpdate.exe - filter_main_3: + filter_main_vcredist: TargetImage|endswith: vcredist_x64.exe SourceImage|endswith: vcredist_x64.exe - filter_main_4: + filter_main_generic: + SourceImage|contains: + - :\Program Files (x86)\ + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ + - :\Windows\WinSxS\ + TargetImage|contains: + - :\Program Files (x86)\ + - :\Program Files\ + - :\Windows\System32\ + - :\Windows\SysWOW64\ + - :\Windows\WinSxS\ + filter_main_kerneltrace_edge: + Provider_Name: Microsoft-Windows-Kernel-Audit-API-Calls + filter_optional_vmware: TargetImage|endswith: :\Windows\system32\systeminfo.exe SourceImage|endswith: setup64.exe - filter_main_5: - TargetImage|endswith: AmazonSSMAgentSetup.exe + filter_optional_cylance: + SourceImage|endswith: :\Windows\Explorer.EXE + TargetImage|endswith: :\Program Files\Cylance\Desktop\CylanceUI.exe + filter_optional_amazon: SourceImage|endswith: AmazonSSMAgentSetup.exe - filter_main_6: - TargetImage|endswith: :\Program Files\Mozilla Firefox\firefox.exe - SourceImage|endswith: - - :\Program Files\Mozilla Firefox\firefox.exe - - :\Program Files\Mozilla Firefox\plugin-container.exe - filter_main_7: - TargetImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe + TargetImage|endswith: AmazonSSMAgentSetup.exe + filter_optional_vscode: SourceImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe - filter_main_8: - TargetImage|endswith: :\Program Files\Google\Chrome\Application\chrome.exe - SourceImage|endswith: :\Program Files\Google\Chrome\Application\chrome.exe - filter_main_9: - TargetImage|endswith: :\Program Files (x86)\Google\Update\GoogleUpdate.exe - SourceImage|endswith: :\Program Files (x86)\Google\Update\GoogleUpdate.exe - filter_main_10: + TargetImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe + filter_optional_teams: TargetImage|endswith: \AppData\Local\Microsoft\Teams\current\Teams.exe SourceImage|endswith: \AppData\Local\Microsoft\Teams\current\Teams.exe - filter_main_11: - TargetImage: C:\Windows\System32\backgroundTaskHost.exe - SourceImage: C:\Windows\System32\backgroundTaskHost.exe - filter_main_12: - TargetImage: C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe - SourceImage: C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe - filter_main_13: - TargetImage|startswith: C:\Users\ + filter_optional_discord: TargetImage|contains: \AppData\Local\Discord\ TargetImage|endswith: \Discord.exe - filter_main_14: - TargetImage: C:\WINDOWS\system32\AUDIODG.EXE - filter_main_15: - SourceImage|startswith: C:\Users\ + filter_optional_yammer: SourceImage|contains: \AppData\Local\yammerdesktop\app- SourceImage|endswith: \Yammer.exe - TargetImage|startswith: C:\Users\ TargetImage|contains: \AppData\Local\yammerdesktop\app- TargetImage|endswith: \Yammer.exe GrantedAccess: '0x1000' - filter_main_kerneltrace_edge: - Provider_Name: Microsoft-Windows-Kernel-Audit-API-Calls - filter_main_mixed: + filter_optional_evernote: TargetImage|endswith: \Evernote\Evernote.exe - filter_main_defender: - SourceImage: C:\Program Files\Microsoft Security Client\MsMpEng.exe - TargetImage: C:\Windows\system32\svchost.exe - GrantedAccess: '0x1000' - condition: process_access and (selection and not 1 of filter_main_*) + condition: process_access and (selection and not 1 of filter_main_* and not 1 + of filter_optional_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_access/proc_access_win_invoke_patchingapi.yml b/sigma/sysmon/process_access/proc_access_win_susp_invoke_patchingapi.yml similarity index 87% rename from sigma/sysmon/process_access/proc_access_win_invoke_patchingapi.yml rename to sigma/sysmon/process_access/proc_access_win_susp_invoke_patchingapi.yml index ec356e840..98122495b 100644 --- a/sigma/sysmon/process_access/proc_access_win_invoke_patchingapi.yml +++ b/sigma/sysmon/process_access/proc_access_win_susp_invoke_patchingapi.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20 author: frack113 date: 2023/01/07 -modified: 2023/11/09 +modified: 2023/11/27 tags: - attack.defense_evasion - attack.t1562.002 @@ -50,16 +50,11 @@ detection: - :\Users\ - \AppData\Local\GitHubDesktop\app- filter_main_dotnet: - SourceImage|contains: - - :\Windows\Microsoft.NET\Framework\v - - :\Windows\Microsoft.NET\Framework64\v - SourceImage|endswith: \NGenTask.exe - TargetImage|contains: - - :\Windows\Microsoft.NET\Framework\v - - :\Windows\Microsoft.NET\Framework64\v + SourceImage|contains: :\Windows\Microsoft.NET\ + TargetImage|contains: :\Windows\Microsoft.NET\ filter_main_taskhost: SourceImage|contains: - - :\WINDOWS\system32\taskhostw.exe + - :\Windows\system32\taskhostw.exe - :\Windows\system32\taskhost.exe TargetImage|contains: - :\Windows\Microsoft.NET\Framework\v diff --git a/sigma/sysmon/process_access/proc_access_win_susp_proc_access_lsass.yml b/sigma/sysmon/process_access/proc_access_win_susp_proc_access_lsass.yml deleted file mode 100644 index 13eb350f4..000000000 --- a/sigma/sysmon/process_access/proc_access_win_susp_proc_access_lsass.yml +++ /dev/null @@ -1,107 +0,0 @@ -title: Suspicious GrantedAccess Flags on LSASS Access -id: a18dd26b-6450-46de-8c91-9659150cf088 -related: - - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d - type: obsoletes -status: experimental -description: Detects process access to LSASS memory with suspicious access flags -references: - - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -author: Florian Roth (Nextron Systems) -date: 2021/11/22 -modified: 2023/05/17 -tags: - - attack.credential_access - - attack.t1003.001 - - attack.s0002 - - sysmon -logsource: - category: process_access - product: windows -detection: - process_access: - EventID: 10 - Channel: Microsoft-Windows-Sysmon/Operational - selection: - TargetImage|endswith: \lsass.exe - GrantedAccess|endswith: - - '30' - - '50' - - '70' - - '90' - - B0 - - D0 - - F0 - - '18' - - '38' - - '58' - - '78' - - '98' - - B8 - - D8 - - F8 - - 1A - - 3A - - 5A - - 7A - - 9A - - BA - - DA - - FA - - '0x14C2' - filter_absolute: - SourceImage: - - C:\WINDOWS\system32\taskmgr.exe - - C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe - - C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe - - C:\WINDOWS\system32\taskhostw.exe - - C:\Program Files\Windows Defender\MsMpEng.exe - - C:\Windows\SysWOW64\msiexec.exe - - C:\Windows\System32\msiexec.exe - - C:\Windows\System32\lsass.exe - - C:\WINDOWS\System32\perfmon.exe - - C:\Windows\System32\MRT.exe - - C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe - - C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe - filter_vscode: - SourceImage|startswith: C:\Users\ - SourceImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe - filter_windefend_1: - SourceImage|startswith: C:\ProgramData\Microsoft\Windows Defender\ - SourceImage|endswith: \MsMpEng.exe - filter_windefend_2: - CallTrace|contains|all: - - '|C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{' - - '}\mpengine.dll+' - GrantedAccess: '0x1418' - filter_windefend_3: - SourceImage: C:\Program Files\Microsoft Security Client\MsMpEng.exe - GrantedAccess: '0x1418' - filter_vmwaretools: - SourceImage|startswith: C:\ProgramData\VMware\VMware Tools\ - SourceImage|endswith: \vmtoolsd.exe - filter_generic_av: - SourceImage|startswith: - - C:\Program Files\ - - C:\Program Files (x86)\ - SourceImage|contains: Antivirus - filter_mrt: - SourceImage: C:\WINDOWS\system32\MRT.exe - GrantedAccess: '0x1418' - filter_mcafee: - SourceImage: C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe - filter_nextron: - SourceImage|startswith: C:\Windows\Temp\asgard2-agent\ - SourceImage|endswith: - - \thor64.exe - - \thor.exe - GrantedAccess: '0x1fffff' - condition: process_access and (selection and not 1 of filter_*) -falsepositives: - - Legitimate software such as AV and EDR -level: high -ruletype: Sigma diff --git a/sigma/sysmon/process_access/proc_access_win_susp_shellcode_injection.yml b/sigma/sysmon/process_access/proc_access_win_susp_shellcode_injection.yml new file mode 100644 index 000000000..2f27745da --- /dev/null +++ b/sigma/sysmon/process_access/proc_access_win_susp_shellcode_injection.yml @@ -0,0 +1,60 @@ +title: Potential Shellcode Injection +id: 250ae82f-736e-4844-a68b-0b5e8cc887da +status: test +description: Detects potential shellcode injection used by tools such as Metasploit's + migrate and Empire's psinject +author: Bhabesh Raj +date: 2022/03/11 +modified: 2023/11/29 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 + - sysmon +logsource: + category: process_access + product: windows +detection: + process_access: + EventID: 10 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + GrantedAccess: + - '0x147a' + - '0x1f3fff' + CallTrace|contains: UNKNOWN + filter_optional_dell_folders: + SourceImage|contains: + - :\Program Files\Dell\ + - :\Program Files (x86)\Dell\ + TargetImage|contains: + - :\Program Files\Dell\ + - :\Program Files (x86)\Dell\ + GrantedAccess: '0x1F3FFF' + CallTrace|startswith: ?:\Windows\System32\ntdll.dll + filter_optional_dell_specifc: + SourceImage|endswith: :\Program Files (x86)\Dell\UpdateService\ServiceShell.exe + TargetImage|endswith: :\Windows\Explorer.EXE + GrantedAccess: '0x1F3FFF' + CallTrace|startswith: ?:\Windows\System32\ntdll.dll + filter_optional_visual_studio: + SourceImage|endswith: + - :\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PerfWatson2.exe + - :\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PerfWatson2.exe + TargetImage|endswith: + - :\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe + - :\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe + CallTrace|startswith: ?:\Windows\System32\ntdll.dll + filter_optional_ddvdatacollector: + SourceImage|contains: :\Program Files\Microsoft Visual Studio\ + SourceImage|endswith: \MSBuild\Current\Bin\MSBuild.exe + TargetImage|endswith: :\Program Files\Dell\DellDataVault\DDVDataCollector.exe + filter_optional_wmiprvese: + SourceImage|endswith: :\Windows\System32\Wbem\Wmiprvse.exe + TargetImage|endswith: :\Windows\system32\lsass.exe + CallTrace|startswith: ?:\Windows\SYSTEM32\ntdll.dll + condition: process_access and (selection and not 1 of filter_optional_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_access/proc_access_win_svchost_cred_dump.yml b/sigma/sysmon/process_access/proc_access_win_svchost_credential_dumping.yml similarity index 51% rename from sigma/sysmon/process_access/proc_access_win_svchost_cred_dump.yml rename to sigma/sysmon/process_access/proc_access_win_svchost_credential_dumping.yml index 274682db0..636e9e665 100644 --- a/sigma/sysmon/process_access/proc_access_win_svchost_cred_dump.yml +++ b/sigma/sysmon/process_access/proc_access_win_svchost_credential_dumping.yml @@ -1,8 +1,10 @@ -title: SVCHOST Credential Dump +title: Credential Dumping Attempt Via Svchost id: 174afcfa-6e40-4ae9-af64-496546389294 status: test -description: Detects when a process, such as mimikatz, accesses the memory of svchost - to dump credentials +description: Detects when a process tries to access the memory of svchost to potentially + dump credentials. +references: + - Internal Research author: Florent Labouyrie date: 2021/04/30 modified: 2022/10/09 @@ -16,17 +18,15 @@ detection: process_access: EventID: 10 Channel: Microsoft-Windows-Sysmon/Operational - selection_process: + selection: TargetImage|endswith: \svchost.exe - selection_memory: GrantedAccess: '0x143a' - filter_trusted_process_access: + filter_main_known_processes: SourceImage|endswith: - - '*\services.exe' - - '*\msiexec.exe' - condition: process_access and (selection_process and selection_memory and not - filter_trusted_process_access) + - \services.exe + - \msiexec.exe + condition: process_access and (selection and not 1 of filter_main_*) falsepositives: - - Non identified legit exectubale + - Unknown level: high ruletype: Sigma diff --git a/sigma/sysmon/process_access/proc_access_win_invoke_phantom.yml b/sigma/sysmon/process_access/proc_access_win_svchost_susp_access_request.yml similarity index 70% rename from sigma/sysmon/process_access/proc_access_win_invoke_phantom.yml rename to sigma/sysmon/process_access/proc_access_win_svchost_susp_access_request.yml index d0ddc78c6..7669e7640 100644 --- a/sigma/sysmon/process_access/proc_access_win_invoke_phantom.yml +++ b/sigma/sysmon/process_access/proc_access_win_svchost_susp_access_request.yml @@ -1,8 +1,8 @@ -title: Potential Svchost Memory Access +title: Suspicious Svchost Process Access id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde status: test -description: Detects potential access to svchost process memory such as that used - by Invoke-Phantom to kill the winRM Windows event logging service. +description: Detects suspicious access to the "svchost" process such as that used + by Invoke-Phantom to kill the thread of the Windows event logging service. references: - https://github.com/hlldz/Invoke-Phant0m - https://twitter.com/timbmsft/status/900724491076214784 @@ -21,16 +21,16 @@ detection: EventID: 10 Channel: Microsoft-Windows-Sysmon/Operational selection: - TargetImage|endswith: \WINDOWS\System32\svchost.exe + TargetImage|endswith: :\Windows\System32\svchost.exe GrantedAccess: '0x1F3FFF' CallTrace|contains: UNKNOWN - filter_msbuild: - SourceImage|startswith: C:\Program Files\Microsoft Visual Studio\ + filter_main_msbuild: + SourceImage|contains: :\Program Files\Microsoft Visual Studio\ SourceImage|endswith: \MSBuild\Current\Bin\MSBuild.exe CallTrace|contains: - Microsoft.Build.ni.dll - System.ni.dll - condition: process_access and (selection and not 1 of filter_*) + condition: process_access and (selection and not 1 of filter_main_*) falsepositives: - Unknown level: high diff --git a/sigma/sysmon/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml b/sigma/sysmon/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml similarity index 72% rename from sigma/sysmon/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml rename to sigma/sysmon/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml index 6b30bb9eb..6b8ed89a8 100644 --- a/sigma/sysmon/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml +++ b/sigma/sysmon/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml @@ -1,13 +1,14 @@ -title: Load Undocumented Autoelevated COM Interface +title: Function Call From Undocumented COM Interface EditionUpgradeManager id: fb3722e4-1a06-46b6-b772-253e2e7db933 status: test -description: COM interface (EditionUpgradeManager) that is not used by standard executables. +description: Detects function calls from the EditionUpgradeManager COM interface. + Which is an interface that is not used by standard executables. references: - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 author: oscd.community, Dmitry Uchakin date: 2020/10/07 -modified: 2021/11/27 +modified: 2023/11/30 tags: - attack.defense_evasion - attack.privilege_escalation @@ -23,13 +24,7 @@ detection: selection: CallTrace|contains: editionupgrademanagerobj.dll condition: process_access and selection -fields: - - ComputerName - - User - - SourceImage - - TargetImage - - CallTrace falsepositives: - Unknown -level: high +level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_impacket_tools.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_impacket_tools.yml index dbfdf20e9..96b7a7028 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_impacket_tools.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_impacket_tools.yml @@ -53,8 +53,8 @@ detection: - \sambaPipe_windows.exe - \smbclient_windows.exe - \smbserver_windows.exe - - \sniffer_windows.exe - \sniff_windows.exe + - \sniffer_windows.exe - \split_windows.exe - \ticketer_windows.exe condition: process_creation and selection diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_winpeas.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_winpeas.yml index f781340b1..5880ed172 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_hktl_winpeas.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_winpeas.yml @@ -25,12 +25,12 @@ detection: selection_img: - OriginalFileName: winPEAS.exe - Image|endswith: - - \winPEASany.exe - \winPEASany_ofs.exe - - \winPEASx64.exe + - \winPEASany.exe - \winPEASx64_ofs.exe - - \winPEASx86.exe + - \winPEASx64.exe - \winPEASx86_ofs.exe + - \winPEASx86.exe selection_cli_option: CommandLine|contains: - ' applicationsinfo' diff --git a/sigma/sysmon/process_creation/proc_creation_win_hktl_winpwn.yml b/sigma/sysmon/process_creation/proc_creation_win_hktl_winpwn.yml new file mode 100644 index 000000000..a314f2cf1 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_hktl_winpwn.yml @@ -0,0 +1,51 @@ +title: HackTool - WinPwn Execution +id: d557dc06-62e8-4468-a8e8-7984124908ce +related: + - id: 851fd622-b675-4d26-b803-14bc7baa517a + type: similar +status: experimental +description: 'Detects commandline keywords indicative of potential usge of the tool + WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. + + ' +author: Swachchhanda Shrawan Poudel +date: 2023/12/04 +references: + - https://github.com/S3cur3Th1sSh1t/WinPwn + - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841 + - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/ + - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md + - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team +tags: + - attack.credential_access + - attack.defense_evasion + - attack.discovery + - attack.execution + - attack.privilege_escalation + - attack.t1046 + - attack.t1082 + - attack.t1106 + - attack.t1518 + - attack.t1548.002 + - attack.t1552.001 + - attack.t1555 + - attack.t1555.003 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + CommandLine|contains: + - Offline_Winpwn + - 'WinPwn ' + - WinPwn.exe + - WinPwn.ps1 + condition: process_creation and selection +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml index 8e13b965f..4c522ae76 100644 --- a/sigma/sysmon/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml +++ b/sigma/sysmon/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml @@ -53,10 +53,6 @@ detection: - .msi - .vbs condition: process_creation and (all of selection_*) -fields: - - CommandLine - - ParentProcess - - CommandLine falsepositives: - Unknown level: medium diff --git a/sigma/sysmon/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml b/sigma/sysmon/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml similarity index 100% rename from sigma/sysmon/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml rename to sigma/sysmon/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml diff --git a/sigma/sysmon/process_tampering/proc_tampering_process_hollowing.yml b/sigma/sysmon/process_tampering/proc_tampering_susp_process_hollowing.yml similarity index 58% rename from sigma/sysmon/process_tampering/proc_tampering_process_hollowing.yml rename to sigma/sysmon/process_tampering/proc_tampering_susp_process_hollowing.yml index 7a1f24fa5..6bb042c84 100644 --- a/sigma/sysmon/process_tampering/proc_tampering_process_hollowing.yml +++ b/sigma/sysmon/process_tampering/proc_tampering_susp_process_hollowing.yml @@ -8,7 +8,7 @@ references: - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S date: 2022/01/25 -modified: 2023/09/16 +modified: 2023/11/28 tags: - attack.defense_evasion - attack.privilege_escalation @@ -23,37 +23,17 @@ detection: Channel: Microsoft-Windows-Sysmon/Operational selection: Type: Image is replaced - filter_main_generic_1: + filter_main_generic: Image|contains: - - :\Program Files\ - :\Program Files (x86) - filter_main_generic_2: - Image: + - :\Program Files\ - :\Windows\System32\wbem\WMIADAP.exe - :\Windows\SysWOW64\wbem\WMIADAP.exe filter_optional_opera: Image|contains: \AppData\Local\Programs\Opera\ Image|endswith: \opera.exe - filter_optional_chrome: - Image: - - C:\Program Files\Google\Chrome\Application\chrome.exe - - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe - filter_optional_firefox: - Image: - - C:\Program Files\Mozilla Firefox\firefox.exe - - C:\Program Files (x86)\Mozilla Firefox\firefox.exe - filter_optional_edge_1: - - Image|endswith: \WindowsApps\MicrosoftEdge.exe - - Image: - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - - C:\Program Files\Microsoft\Edge\Application\msedge.exe - filter_optional_edge_2: - Image|startswith: - - C:\Program Files (x86)\Microsoft\EdgeCore\ - - C:\Program Files\Microsoft\EdgeCore\ - Image|endswith: - - \msedge.exe - - \msedgewebview2.exe + filter_optional_edge: + Image|endswith: \WindowsApps\MicrosoftEdge.exe condition: process_tampering and (selection and not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: diff --git a/sigma/sysmon/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml b/sigma/sysmon/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml similarity index 62% rename from sigma/sysmon/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml rename to sigma/sysmon/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml index a8184a565..ebdf26084 100644 --- a/sigma/sysmon/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml +++ b/sigma/sysmon/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml @@ -8,7 +8,7 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 -modified: 2023/09/06 +modified: 2023/11/28 tags: - attack.defense_evasion - attack.t1006 @@ -23,53 +23,47 @@ detection: filter_main_floppy: Device|contains: floppy filter_main_generic: - Image|startswith: - - C:\Program Files\ - - C:\Program Files (x86)\ - - C:\Windows\System32\ - - C:\Windows\SystemApps\ - - C:\Windows\WinSxS\ - - C:\Windows\servicing\ - - C:\Windows\CCM\ - - C:\Windows\uus\ - filter_main_setuphost: - Image: C:\$WINDOWS.~BT\Sources\SetupHost.exe + Image|contains: + - :\$WINDOWS.~BT\ + - :\Program Files (x86)\ + - :\Program Files\ + - :\Windows\CCM\ + - :\Windows\explorer.exe + - :\Windows\servicing\ + - :\Windows\SoftwareDistribution\ + - :\Windows\System32\ + - :\Windows\SystemApps\ + - :\Windows\uus\ + - :\Windows\WinSxS\ filter_main_system_images: Image: - - System - Registry - filter_main_specific: - Image: C:\Windows\explorer.exe + - System filter_main_windefender: - Image|startswith: C:\ProgramData\Microsoft\Windows Defender\Platform\ + Image|contains: :\ProgramData\Microsoft\Windows Defender\Platform\ Image|endswith: \MsMpEng.exe filter_main_microsoft_appdata: Image|contains|all: - - C:\Users\ + - :\Users\ - \AppData\ - \Microsoft\ - filter_main_windows_update_box: - Image|startswith: C:\Windows\SoftwareDistribution\Download - Image|endswith: \WindowsUpdateBox.exe filter_main_ssd_nvme: - Image|startswith: C:\Windows\Temp\ + Image|contains: :\Windows\Temp\ Image|endswith: - - \HostMetadata\NVMEHostmetadata.exe - \Executables\SSDUpdate.exe + - \HostMetadata\NVMEHostmetadata.exe filter_main_null: Image: null filter_main_systemsettings: - Image: C:\Windows\ImmersiveControlPanel\SystemSettings.exe + Image|endswith: :\Windows\ImmersiveControlPanel\SystemSettings.exe filter_optional_github_desktop: - Image|startswith: C:\Users\ Image|contains: \AppData\Local\GitHubDesktop\app- Image|endswith: \resources\app\git\mingw64\bin\git.exe filter_optional_nextron: - Image|startswith: C:\Windows\Temp\asgard2-agent\ + Image|contains: :\Windows\Temp\asgard2-agent\ Image|endswith: \thor.exe filter_optional_Keybase: - Image|endswith: C:\Users\ - Image|startswith: \AppData\Local\Keybase\upd.exe + Image|contains: \AppData\Local\Keybase\upd.exe condition: raw_access_thread and (not 1 of filter_main_* and not 1 of filter_optional_*) falsepositives: - Likely diff --git a/sigma/sysmon/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml b/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_powershell_access.yml similarity index 80% rename from sigma/sysmon/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml rename to sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_powershell_access.yml index 252de2df5..5ef7c5ca5 100644 --- a/sigma/sysmon/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml +++ b/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_powershell_access.yml @@ -6,15 +6,17 @@ related: - id: fb656378-f909-47c1-8747-278bf09f4f4f type: similar status: test -description: Detects PowerShell processes requesting access to "lsass.exe" +description: Detects a PowerShell process requesting access to "lsass.exe", which + can be indicative of potential credential dumping attempts references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2022/12/18 +modified: 2023/11/28 tags: - attack.credential_access - attack.t1003.001 + - detection.threat_hunting - sysmon logsource: product: windows @@ -31,5 +33,5 @@ detection: condition: process_access and selection falsepositives: - Unknown -level: high +level: medium ruletype: Sigma diff --git a/sigma/sysmon/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_susp_source_process.yml similarity index 80% rename from sigma/sysmon/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml rename to sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_susp_source_process.yml index 2f0a65e62..7dbd74731 100644 --- a/sigma/sysmon/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/sigma/sysmon/threat-hunting/process_access/proc_access_win_lsass_susp_source_process.yml @@ -1,4 +1,4 @@ -title: LSASS Access From Program in Potentially Suspicious Folder +title: LSASS Access From Program In Potentially Suspicious Folder id: fa34b441-961a-42fa-a100-ecc28c886725 status: experimental description: Detects process access to LSASS memory with suspicious access flags and @@ -11,7 +11,7 @@ references: - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth (Nextron Systems) date: 2021/11/27 -modified: 2023/05/05 +modified: 2023/11/27 tags: - attack.credential_access - attack.t1003.001 @@ -60,8 +60,9 @@ detection: - \AppData\ - \Temporary filter_optional_generic_appdata: - SourceImage|startswith: C:\Users\ - SourceImage|contains: \AppData\Local\ + SourceImage|contains|all: + - :\Users\ + - \AppData\Local\ SourceImage|endswith: - \Microsoft VS Code\Code.exe - \software_reporter_tool.exe @@ -72,26 +73,27 @@ detection: - \JetBrains\Toolbox\bin\jetbrains-toolbox.exe GrantedAccess: '0x410' filter_optional_dropbox_1: - SourceImage|startswith: C:\Windows\Temp\ + SourceImage|contains: :\Windows\Temp\ SourceImage|endswith: .tmp\DropboxUpdate.exe GrantedAccess: - '0x410' - '0x1410' filter_optional_dropbox_2: - SourceImage|startswith: C:\Users\ - SourceImage|contains: \AppData\Local\Temp\ + SourceImage|contains|all: + - :\Users\ + - \AppData\Local\Temp\ SourceImage|endswith: .tmp\DropboxUpdate.exe GrantedAccess: '0x1410' filter_optional_dropbox_3: - SourceImage|startswith: - - C:\Program Files (x86)\Dropbox\ - - C:\Program Files\Dropbox\ + SourceImage|contains: + - :\Program Files (x86)\Dropbox\ + - :\Program Files\Dropbox\ SourceImage|endswith: \DropboxUpdate.exe GrantedAccess: '0x1410' filter_optional_nextron: - SourceImage|startswith: - - C:\Windows\Temp\asgard2-agent\ - - C:\Windows\Temp\asgard2-agent-sc\ + SourceImage|contains: + - :\Windows\Temp\asgard2-agent\ + - :\Windows\Temp\asgard2-agent-sc\ SourceImage|endswith: - \thor64.exe - \thor.exe @@ -102,19 +104,19 @@ detection: - '0x1010' - '0x101010' filter_optional_ms_products: - SourceImage|startswith: C:\Users\ SourceImage|contains|all: + - :\Users\ - \AppData\Local\Temp\ - \vs_bootstrapper_ GrantedAccess: '0x1410' filter_optional_chrome_update: - SourceImage|startswith: C:\Program Files (x86)\Google\Temp\ + SourceImage|contains: :\Program Files (x86)\Google\Temp\ SourceImage|endswith: .tmp\GoogleUpdate.exe GrantedAccess: - '0x410' - '0x1410' filter_optional_keybase: - SourceImage|startswith: C:\Users\ + SourceImage|contains: :\Users\ SourceImage|endswith: \AppData\Local\Keybase\keybase.exe GrantedAccess: '0x1fffff' filter_optional_avira: @@ -122,22 +124,17 @@ detection: SourceImage|endswith: .tmp\avira_system_speedup.tmp GrantedAccess: '0x1410' filter_optional_viberpc_updater: - SourceImage|startswith: C:\Users\ SourceImage|contains: \AppData\Roaming\ViberPC\ SourceImage|endswith: \updater.exe TargetImage|endswith: \winlogon.exe GrantedAccess: '0x1fffff' filter_optional_adobe_arm_helper: - SourceImage|startswith: - - C:\Program Files\Common Files\Adobe\ARM\ - - C:\Program Files (x86)\Common Files\Adobe\ARM\ + SourceImage|contains: + - :\Program Files\Common Files\Adobe\ARM\ + - :\Program Files (x86)\Common Files\Adobe\ARM\ SourceImage|endswith: \AdobeARMHelper.exe GrantedAccess: '0x1410' condition: process_access and (selection and not 1 of filter_optional_*) -fields: - - User - - SourceImage - - GrantedAccess falsepositives: - Updaters and installers are typical false positives. Apply custom filters depending on your environment