diff --git a/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml b/deprecated/windows/proc_access_win_lazagne_cred_dump_lsass_access.yml
similarity index 100%
rename from rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml
rename to deprecated/windows/proc_access_win_lazagne_cred_dump_lsass_access.yml
diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/deprecated/windows/proc_access_win_lsass_susp_access.yml
old mode 100755
new mode 100644
similarity index 99%
rename from rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml
rename to deprecated/windows/proc_access_win_lsass_susp_access.yml
index 66438bb408a..3565fd75c5d
--- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml
+++ b/deprecated/windows/proc_access_win_lsass_susp_access.yml
@@ -1,6 +1,6 @@
title: Credential Dumping Tools Accessing LSASS Memory
id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
-status: experimental
+status: deprecated
description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools
references:
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -9,7 +9,7 @@ references:
- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
date: 2017/02/16
-modified: 2023/03/22
+modified: 2023/11/30
tags:
- attack.credential_access
- attack.t1003.001
diff --git a/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml b/deprecated/windows/proc_access_win_pypykatz_cred_dump_lsass_access.yml
similarity index 100%
rename from rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml
rename to deprecated/windows/proc_access_win_pypykatz_cred_dump_lsass_access.yml
diff --git a/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml b/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml
old mode 100755
new mode 100644
similarity index 63%
rename from rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml
rename to rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml
index c316dcd4376..22367001c0d
--- a/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml
+++ b/rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml
@@ -11,22 +11,23 @@ tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
+ - detection.emerging_threats
logsource:
category: process_access
product: windows
- definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN'
+ definition: 'Requirements: The following config is required to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN'
detection:
- selection:
+ selection_target:
TargetImage|endswith: '\verclsid.exe'
GrantedAccess: '0x1FFFFF'
- combination1:
+ selection_calltrace_1:
CallTrace|contains|all:
- '|UNKNOWN('
- 'VBE7.DLL'
- combination2:
+ selection_calltrace_2:
SourceImage|contains: '\Microsoft Office\'
CallTrace|contains: '|UNKNOWN'
- condition: selection and 1 of combination*
+ condition: selection_target and 1 of selection_calltrace_*
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_powershell_access.yml
similarity index 78%
rename from rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml
rename to rules-threat-hunting/windows/process_access/proc_access_win_lsass_powershell_access.yml
index 64d97ef68f9..bbf75c211f7 100644
--- a/rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml
+++ b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_powershell_access.yml
@@ -6,15 +6,16 @@ related:
- id: fb656378-f909-47c1-8747-278bf09f4f4f
type: similar
status: test
-description: Detects PowerShell processes requesting access to "lsass.exe"
+description: Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020/10/06
-modified: 2022/12/18
+modified: 2023/11/28
tags:
- attack.credential_access
- attack.t1003.001
+ - detection.threat_hunting
logsource:
product: windows
category: process_access
@@ -27,4 +28,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: high
+level: medium
diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml
similarity index 78%
rename from rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml
rename to rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml
index 81c4db3def4..8bbf6e456f4 100644
--- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml
+++ b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml
@@ -1,4 +1,4 @@
-title: LSASS Access From Program in Potentially Suspicious Folder
+title: LSASS Access From Program In Potentially Suspicious Folder
id: fa34b441-961a-42fa-a100-ecc28c886725
status: experimental
description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
@@ -10,7 +10,7 @@ references:
- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
author: Florian Roth (Nextron Systems)
date: 2021/11/27
-modified: 2023/05/05
+modified: 2023/11/27
tags:
- attack.credential_access
- attack.t1003.001
@@ -55,8 +55,9 @@ detection:
- '\AppData\'
- '\Temporary'
filter_optional_generic_appdata:
- SourceImage|startswith: 'C:\Users\'
- SourceImage|contains: '\AppData\Local\'
+ SourceImage|contains|all:
+ - ':\Users\'
+ - '\AppData\Local\'
SourceImage|endswith:
- '\Microsoft VS Code\Code.exe'
- '\software_reporter_tool.exe'
@@ -67,26 +68,27 @@ detection:
- '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe'
GrantedAccess: '0x410'
filter_optional_dropbox_1:
- SourceImage|startswith: 'C:\Windows\Temp\'
+ SourceImage|contains: ':\Windows\Temp\'
SourceImage|endswith: '.tmp\DropboxUpdate.exe'
GrantedAccess:
- '0x410'
- '0x1410'
filter_optional_dropbox_2:
- SourceImage|startswith: 'C:\Users\'
- SourceImage|contains: '\AppData\Local\Temp\'
+ SourceImage|contains|all:
+ - ':\Users\'
+ - '\AppData\Local\Temp\'
SourceImage|endswith: '.tmp\DropboxUpdate.exe'
GrantedAccess: '0x1410'
filter_optional_dropbox_3:
- SourceImage|startswith:
- - 'C:\Program Files (x86)\Dropbox\'
- - 'C:\Program Files\Dropbox\'
+ SourceImage|contains:
+ - ':\Program Files (x86)\Dropbox\'
+ - ':\Program Files\Dropbox\'
SourceImage|endswith: '\DropboxUpdate.exe'
GrantedAccess: '0x1410'
filter_optional_nextron:
- SourceImage|startswith:
- - 'C:\Windows\Temp\asgard2-agent\'
- - 'C:\Windows\Temp\asgard2-agent-sc\'
+ SourceImage|contains:
+ - ':\Windows\Temp\asgard2-agent\'
+ - ':\Windows\Temp\asgard2-agent-sc\'
SourceImage|endswith:
- '\thor64.exe'
- '\thor.exe'
@@ -97,19 +99,19 @@ detection:
- '0x1010'
- '0x101010'
filter_optional_ms_products:
- SourceImage|startswith: 'C:\Users\'
SourceImage|contains|all:
+ - ':\Users\'
- '\AppData\Local\Temp\'
- '\vs_bootstrapper_'
GrantedAccess: '0x1410'
filter_optional_chrome_update:
- SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\'
+ SourceImage|contains: ':\Program Files (x86)\Google\Temp\'
SourceImage|endswith: '.tmp\GoogleUpdate.exe'
GrantedAccess:
- '0x410'
- '0x1410'
filter_optional_keybase:
- SourceImage|startswith: 'C:\Users\'
+ SourceImage|contains: ':\Users\'
SourceImage|endswith: \AppData\Local\Keybase\keybase.exe
GrantedAccess: '0x1fffff'
filter_optional_avira:
@@ -117,22 +119,17 @@ detection:
SourceImage|endswith: '.tmp\avira_system_speedup.tmp'
GrantedAccess: '0x1410'
filter_optional_viberpc_updater:
- SourceImage|startswith: 'C:\Users\'
SourceImage|contains: '\AppData\Roaming\ViberPC\'
SourceImage|endswith: '\updater.exe'
TargetImage|endswith: '\winlogon.exe'
GrantedAccess: '0x1fffff'
filter_optional_adobe_arm_helper:
- SourceImage|startswith: # Example path: 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\2092867405\AdobeARMHelper.exe'
- - 'C:\Program Files\Common Files\Adobe\ARM\'
- - 'C:\Program Files (x86)\Common Files\Adobe\ARM\'
+ SourceImage|contains: # Example path: 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\2092867405\AdobeARMHelper.exe'
+ - ':\Program Files\Common Files\Adobe\ARM\'
+ - ':\Program Files (x86)\Common Files\Adobe\ARM\'
SourceImage|endswith: '\AdobeARMHelper.exe'
GrantedAccess: '0x1410'
condition: selection and not 1 of filter_optional_*
-fields:
- - User
- - SourceImage
- - GrantedAccess
falsepositives:
- Updaters and installers are typical false positives. Apply custom filters depending on your environment
level: medium
diff --git a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml
index cca1a32d43b..6f948522582 100644
--- a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml
+++ b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml
@@ -50,24 +50,6 @@ detection:
- 138
- 139
condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios)
-fields:
- - ts
- - id.orig_h
- - id.orig_p
- - id.resp_h
- - id.resp_p
- - proto
- - qtype_name
- - qtype
- - query
- - answers
- - rcode
- - rcode_name
- - trans_id
- - qtype
- - ttl
- - AA
- - uid
falsepositives:
- 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'
- 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"'
diff --git a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml
index 2b8d96bfe91..6df45ed4253 100755
--- a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml
+++ b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml
@@ -23,10 +23,6 @@ detection:
selection:
CallTrace|contains: 'cmlua.dll'
condition: selection
-fields:
- - CommandLine
- - ParentCommandLine
- - Details
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
deleted file mode 100755
index 824d9090227..00000000000
--- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
+++ /dev/null
@@ -1,84 +0,0 @@
-title: Direct Syscall of NtOpenProcess
-id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
-status: experimental
-description: Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.
-references:
- - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
-author: Christian Burkard (Nextron Systems), Tim Shelton
-date: 2021/07/28
-modified: 2023/10/11
-tags:
- - attack.execution
- - attack.t1106
-logsource:
- category: process_access
- product: windows
-detection:
- selection:
- CallTrace|startswith: 'UNKNOWN'
- filter_main_1:
- TargetImage|endswith: ':\Program Files\Cylance\Desktop\CylanceUI.exe'
- SourceImage|endswith: ':\Windows\Explorer.EXE'
- filter_main_2:
- TargetImage|endswith: ':\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
- SourceImage|contains: ':\Program Files (x86)\Microsoft\Temp\'
- SourceImage|endswith: '\MicrosoftEdgeUpdate.exe'
- filter_main_3:
- TargetImage|endswith: 'vcredist_x64.exe'
- SourceImage|endswith: 'vcredist_x64.exe'
- filter_main_4:
- TargetImage|endswith: ':\Windows\system32\systeminfo.exe'
- SourceImage|endswith: 'setup64.exe' # vmware
- filter_main_5:
- TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
- SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
- filter_main_6:
- TargetImage|endswith: ':\Program Files\Mozilla Firefox\firefox.exe'
- SourceImage|endswith:
- - ':\Program Files\Mozilla Firefox\firefox.exe'
- - ':\Program Files\Mozilla Firefox\plugin-container.exe'
- filter_main_7: # VsCode
- TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
- SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
- filter_main_8: # Google Chrome
- TargetImage|endswith: ':\Program Files\Google\Chrome\Application\chrome.exe'
- SourceImage|endswith: ':\Program Files\Google\Chrome\Application\chrome.exe'
- filter_main_9: # Google Chrome Update
- TargetImage|endswith: ':\Program Files (x86)\Google\Update\GoogleUpdate.exe'
- SourceImage|endswith: ':\Program Files (x86)\Google\Update\GoogleUpdate.exe'
- filter_main_10: # MS Teams
- TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
- SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
- filter_main_11:
- TargetImage: 'C:\Windows\System32\backgroundTaskHost.exe'
- SourceImage: 'C:\Windows\System32\backgroundTaskHost.exe'
- filter_main_12:
- TargetImage: 'C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe'
- SourceImage: 'C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe'
- filter_main_13: # Discord
- TargetImage|startswith: 'C:\Users\'
- TargetImage|contains: '\AppData\Local\Discord\'
- TargetImage|endswith: '\Discord.exe'
- filter_main_14:
- TargetImage: 'C:\WINDOWS\system32\AUDIODG.EXE'
- filter_main_15:
- SourceImage|startswith: 'C:\Users\'
- SourceImage|contains: '\AppData\Local\yammerdesktop\app-'
- SourceImage|endswith: '\Yammer.exe'
- TargetImage|startswith: 'C:\Users\'
- TargetImage|contains: '\AppData\Local\yammerdesktop\app-'
- TargetImage|endswith: '\Yammer.exe'
- GrantedAccess: '0x1000'
- filter_main_kerneltrace_edge:
- # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
- Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
- filter_main_mixed:
- TargetImage|endswith: '\Evernote\Evernote.exe'
- filter_main_defender:
- SourceImage: 'C:\Program Files\Microsoft Security Client\MsMpEng.exe'
- TargetImage: C:\Windows\system32\svchost.exe
- GrantedAccess: '0x1000'
- condition: selection and not 1 of filter_main_*
-falsepositives:
- - Unknown
-level: high
diff --git a/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml b/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml
similarity index 91%
rename from rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml
rename to rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml
index 760f43606d2..cdc017c600b 100644
--- a/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml
+++ b/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml
@@ -1,4 +1,4 @@
-title: CobaltStrike BOF Injection Pattern
+title: HackTool - CobaltStrike BOF Injection Pattern
id: 09706624-b7f6-455d-9d02-adee024cee1d
status: test
description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
@@ -7,7 +7,7 @@ references:
- https://github.com/boku7/spawn
author: Christian Burkard (Nextron Systems)
date: 2021/08/04
-modified: 2022/12/31
+modified: 2023/11/28
tags:
- attack.execution
- attack.t1106
diff --git a/rules/windows/process_access/proc_access_win_hktl_generic_access.yml b/rules/windows/process_access/proc_access_win_hktl_generic_access.yml
new file mode 100644
index 00000000000..fd21e20f157
--- /dev/null
+++ b/rules/windows/process_access/proc_access_win_hktl_generic_access.yml
@@ -0,0 +1,110 @@
+title: HackTool - Generic Process Access
+id: d0d2f720-d14f-448d-8242-51ff396a334e
+status: experimental
+description: Detects process access requests from hacktool processes based on their default image name
+references:
+ - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158
+ - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
+author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
+date: 2023/11/27
+tags:
+ - attack.credential_access
+ - attack.t1003.001
+ - attack.s0002
+logsource:
+ category: process_access
+ product: windows
+detection:
+ selection:
+ - SourceImage|endswith:
+ - '\Akagi.exe'
+ - '\Akagi64.exe'
+ - '\atexec_windows.exe'
+ - '\Certify.exe'
+ - '\Certipy.exe'
+ - '\CoercedPotato.exe'
+ - '\crackmapexec.exe'
+ - '\CreateMiniDump.exe'
+ - '\dcomexec_windows.exe'
+ - '\dpapi_windows.exe'
+ - '\findDelegation_windows.exe'
+ - '\GetADUsers_windows.exe'
+ - '\GetNPUsers_windows.exe'
+ - '\getPac_windows.exe'
+ - '\getST_windows.exe'
+ - '\getTGT_windows.exe'
+ - '\GetUserSPNs_windows.exe'
+ - '\gmer.exe'
+ - '\hashcat.exe'
+ - '\htran.exe'
+ - '\ifmap_windows.exe'
+ - '\impersonate.exe'
+ - '\Inveigh.exe'
+ - '\LocalPotato.exe'
+ - '\mimikatz_windows.exe'
+ - '\mimikatz.exe'
+ - '\netview_windows.exe'
+ - '\nmapAnswerMachine_windows.exe'
+ - '\opdump_windows.exe'
+ - '\PasswordDump.exe'
+ - '\Potato.exe'
+ - '\PowerTool.exe'
+ - '\PowerTool64.exe'
+ - '\psexec_windows.exe'
+ - '\PurpleSharp.exe'
+ - '\pypykatz.exe'
+ - '\QuarksPwDump.exe'
+ - '\rdp_check_windows.exe'
+ - '\Rubeus.exe'
+ - '\SafetyKatz.exe'
+ - '\sambaPipe_windows.exe'
+ - '\SelectMyParent.exe'
+ - '\SharpChisel.exe'
+ - '\SharPersist.exe'
+ - '\SharpEvtMute.exe'
+ - '\SharpImpersonation.exe'
+ - '\SharpLDAPmonitor.exe'
+ - '\SharpLdapWhoami.exe'
+ - '\SharpUp.exe'
+ - '\SharpView.exe'
+ - '\smbclient_windows.exe'
+ - '\smbserver_windows.exe'
+ - '\sniff_windows.exe'
+ - '\sniffer_windows.exe'
+ - '\split_windows.exe'
+ - '\SpoolSample.exe'
+ - '\Stracciatella.exe'
+ - '\SysmonEOP.exe'
+ - '\temp\rot.exe'
+ - '\ticketer_windows.exe'
+ - '\TruffleSnout.exe'
+ - '\winPEASany_ofs.exe'
+ - '\winPEASany.exe'
+ - '\winPEASx64_ofs.exe'
+ - '\winPEASx64.exe'
+ - '\winPEASx86_ofs.exe'
+ - '\winPEASx86.exe'
+ - '\xordump.exe'
+ - SourceImage|contains:
+ - '\goldenPac'
+ - '\just_dce_'
+ - '\karmaSMB'
+ - '\kintercept'
+ - '\LocalPotato'
+ - '\ntlmrelayx'
+ - '\rpcdump'
+ - '\samrdump'
+ - '\secretsdump'
+ - '\smbexec'
+ - '\smbrelayx'
+ - '\wmiexec'
+ - '\wmipersist'
+ - 'HotPotato'
+ - 'Juicy Potato'
+ - 'JuicyPotato'
+ - 'PetitPotam'
+ - 'RottenPotato'
+ condition: selection
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml b/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml
similarity index 84%
rename from rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
rename to rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml
index 8734a67229b..63ee38f016b 100644
--- a/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
+++ b/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml
@@ -1,4 +1,4 @@
-title: HandleKatz Duplicating LSASS Handle
+title: HackTool - HandleKatz Duplicating LSASS Handle
id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
status: test
description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
@@ -6,6 +6,7 @@ references:
- https://github.com/codewhitesec/HandleKatz
author: Bhabesh Raj (rule), @thefLinkk
date: 2022/06/27
+modified: 2023/11/28
tags:
- attack.execution
- attack.t1106
@@ -18,11 +19,11 @@ detection:
selection:
TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
- call_trace: # C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
+ # Example: C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+'
CallTrace|contains: '|UNKNOWN('
CallTrace|endswith: ')'
- condition: selection and call_trace
+ condition: selection
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml
similarity index 88%
rename from rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml
rename to rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml
index 88741bfb62a..30ac5e826ea 100644
--- a/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml
+++ b/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml
@@ -1,4 +1,4 @@
-title: LittleCorporal Generated Maldoc Injection
+title: HackTool - LittleCorporal Generated Maldoc Injection
id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
status: test
description: Detects the process injection of a LittleCorporal generated Maldoc.
@@ -6,7 +6,7 @@ references:
- https://github.com/connormcgarr/LittleCorporal
author: Christian Burkard (Nextron Systems)
date: 2021/08/09
-modified: 2022/06/02
+modified: 2023/11/28
tags:
- attack.execution
- attack.t1204.002
diff --git a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml b/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml
similarity index 55%
rename from rules/windows/process_access/proc_access_win_hack_sysmonente.yml
rename to rules/windows/process_access/proc_access_win_hktl_sysmonente.yml
index 8e9f3be23f0..d2a5f9bebef 100644
--- a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml
+++ b/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml
@@ -1,4 +1,4 @@
-title: SysmonEnte Usage
+title: HackTool - SysmonEnte Execution
id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e
status: test
description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
@@ -8,7 +8,7 @@ references:
- https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png
author: Florian Roth (Nextron Systems)
date: 2022/09/07
-modified: 2022/09/09
+modified: 2023/11/28
tags:
- attack.defense_evasion
- attack.t1562.002
@@ -16,19 +16,23 @@ logsource:
category: process_access
product: windows
detection:
- selection_1:
- TargetImage: 'C:\Windows\Sysmon64.exe'
+ selection_sysmon:
+ TargetImage|contains:
+ - ':\Windows\Sysmon.exe'
+ - ':\Windows\Sysmon64.exe'
GrantedAccess: '0x1400'
- filter_1:
- SourceImage|startswith:
- - 'C:\Program Files'
- - 'C:\Windows\System32\'
- filter_msdefender:
- SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- SourceImage|endswith: '\MsMpEng.exe'
selection_calltrace:
CallTrace: 'Ente'
- condition: ( selection_1 and not 1 of filter_* ) or selection_calltrace
+ filter_main_generic:
+ SourceImage|contains:
+ - ':\Program Files (x86)\'
+ - ':\Program Files\'
+ - ':\Windows\System32\'
+ - ':\Windows\SysWOW64\'
+ filter_main_msdefender:
+ SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
+ SourceImage|endswith: '\MsMpEng.exe'
+ condition: ( selection_sysmon and not 1 of filter_main_* ) or selection_calltrace
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml b/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml
index 6a34e10df1d..41bf35d0838 100755
--- a/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml
@@ -7,7 +7,7 @@ references:
- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/10/20
-modified: 2022/10/09
+modified: 2023/11/29
tags:
- attack.credential_access
- attack.t1003.001
@@ -17,9 +17,9 @@ logsource:
detection:
selection:
TargetImage|endswith: '\lsass.exe'
- SourceImage: 'C:\Windows\System32\rundll32.exe'
+ SourceImage|endswith: '\rundll32.exe'
CallTrace|contains: 'comsvcs.dll'
condition: selection
falsepositives:
- Unknown
-level: critical
+level: high
diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml b/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml
similarity index 87%
rename from rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml
rename to rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml
index 506d65e663d..b3a870172e5 100644
--- a/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml
@@ -1,12 +1,13 @@
-title: LSASS Memory Access by Tool Named Dump
+title: LSASS Memory Access by Tool With Dump Keyword In Name
id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
status: test
-description: Detects a possible process memory dump based on a keyword in the file name of the accessing process
+description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
author: Florian Roth (Nextron Systems)
date: 2022/02/10
+modified: 2023/11/29
tags:
- attack.credential_access
- attack.t1003.001
diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml
index b7be6357d46..81569e58e21 100755
--- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml
@@ -1,7 +1,9 @@
-title: LSASS Memory Dump
+title: Credential Dumping Activity Via Lsass
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
-status: test
-description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
+status: experimental
+description: |
+ Detects process access requests to the LSASS process with specific call trace calls and access masks.
+ This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
references:
- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
@@ -9,7 +11,7 @@ references:
- https://research.splunk.com/endpoint/windows_possible_credential_dumping/
author: Samir Bousseaden, Michael Haag
date: 2019/04/03
-modified: 2022/09/29
+modified: 2023/11/29
tags:
- attack.credential_access
- attack.t1003.001
@@ -21,28 +23,35 @@ detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- # - '0x1fffff' # Too many false positives
- # - '0x01000' # Too many false positives
- # - '0x1010' # Too many false positives
- '0x1038'
- # - '0x40' # Too many false positives
- # - '0x1400' # Too many false positives
- # - '0x1410' # Too many false positives
- - '0x1438'
- '0x143a'
+ - '0x1438'
+ - '0x1000'
+ - '0x01000' # Too many false positives
+ - '0x1010' # Too many false positives
+ - '0x1400' # Too many false positives
+ - '0x1410' # Too many false positives
+ - '0x1fffff' # Too many false positives
+ - '0x40' # Too many false positives
CallTrace|contains:
- - 'dbghelp.dll'
- 'dbgcore.dll'
+ - 'dbghelp.dll'
+ - 'kernel32.dll'
+ - 'kernelbase.dll'
- 'ntdll.dll'
- filter_thor:
+ filter_main_system_user:
+ SourceUser|contains: # Covers many language settings
+ - 'AUTHORI'
+ - 'AUTORI'
+ filter_optional_thor:
CallTrace|contains|all:
- - '|C:\Windows\Temp\asgard2-agent\'
+ - ':\Windows\Temp\asgard2-agent\'
- '\thor\thor64.exe+'
- '|UNKNOWN('
GrantedAccess: '0x103800'
- filter_sysmon:
- SourceImage: 'C:\Windows\Sysmon64.exe'
- condition: selection and not 1 of filter*
+ filter_optional_sysmon:
+ SourceImage|endswith: ':\Windows\Sysmon64.exe'
+ condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- - False positives are present when looking for 0x1410. Exclusions may be required.
+ - Unknown
level: high
diff --git a/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml b/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml
new file mode 100644
index 00000000000..ff24d962c4e
--- /dev/null
+++ b/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml
@@ -0,0 +1,37 @@
+title: Credential Dumping Activity By Python Based Tool
+id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
+related:
+ - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
+ type: obsoletes
+ - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
+ type: obsoletes
+status: stable
+description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
+references:
+ - https://twitter.com/bh4b3sh/status/1303674603819081728
+ - https://github.com/skelsec/pypykatz
+author: Bhabesh Raj, Jonhnathan Ribeiro
+date: 2023/11/27
+modified: 2023/11/29
+tags:
+ - attack.credential_access
+ - attack.t1003.001
+ - attack.s0349
+logsource:
+ category: process_access
+ product: windows
+detection:
+ selection:
+ TargetImage|endswith: '\lsass.exe'
+ CallTrace|contains|all:
+ - '_ctypes.pyd+'
+ - ':\Windows\System32\KERNELBASE.dll+'
+ - ':\Windows\SYSTEM32\ntdll.dll+'
+ CallTrace|contains:
+ - 'python27.dll+'
+ - 'python3*.dll+'
+ GrantedAccess: '0x1FFFFF'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml b/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml
old mode 100755
new mode 100644
similarity index 60%
rename from rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml
rename to rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml
index b323d50c99a..7a3cc46c6a3
--- a/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml
@@ -1,12 +1,12 @@
-title: Mimikatz through Windows Remote Management
+title: Remote LSASS Process Access Through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
status: stable
-description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
+description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
author: Patryk Prauze - ING Tech
date: 2019/05/20
-modified: 2021/06/21
+modified: 2023/11/29
tags:
- attack.credential_access
- attack.execution
@@ -21,10 +21,10 @@ logsource:
detection:
selection:
TargetImage|endswith: '\lsass.exe'
- SourceImage: 'C:\Windows\system32\wsmprovhost.exe'
- filter:
+ SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
+ filter_main_access:
GrantedAccess: '0x80000000'
- condition: selection and not filter
+ condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
diff --git a/rules/windows/process_access/proc_access_win_susp_seclogon.yml b/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml
similarity index 85%
rename from rules/windows/process_access/proc_access_win_susp_seclogon.yml
rename to rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml
index a0c629ee742..a7ee70a3324 100644
--- a/rules/windows/process_access/proc_access_win_susp_seclogon.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml
@@ -1,12 +1,12 @@
title: Suspicious LSASS Access Via MalSecLogon
id: 472159c5-31b9-4f56-b794-b766faa8b0a7
status: test
-description: Detects suspicious access to Lsass handle via a call trace to "seclogon.dll"
+description: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
references:
- https://twitter.com/SBousseaden/status/1541920424635912196
- https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml
- https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
-author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)
+author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems)
date: 2022/06/29
tags:
- attack.credential_access
diff --git a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml
new file mode 100644
index 00000000000..979c02d93f0
--- /dev/null
+++ b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml
@@ -0,0 +1,125 @@
+title: Potentially Suspicious GrantedAccess Flags On LSASS
+id: a18dd26b-6450-46de-8c91-9659150cf088
+related:
+ - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
+ type: similar
+status: experimental
+description: Detects process access requests to LSASS process with potentially suspicious access flags
+references:
+ - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
+ - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
+ - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+ - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+ - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
+date: 2021/11/22
+modified: 2023/11/29
+tags:
+ - attack.credential_access
+ - attack.t1003.001
+ - attack.s0002
+logsource:
+ category: process_access
+ product: windows
+detection:
+ selection_target:
+ TargetImage|endswith: '\lsass.exe'
+ selection_access:
+ - GrantedAccess|endswith:
+ # - '10' # covered in rule 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
+ - '30'
+ - '50'
+ - '70'
+ - '90'
+ - 'B0'
+ - 'D0'
+ - 'F0'
+ - '18'
+ - '38'
+ - '58'
+ - '78'
+ - '98'
+ - 'B8'
+ - 'D8'
+ - 'F8'
+ - '1A'
+ - '3A'
+ - '5A'
+ - '7A'
+ - '9A'
+ - 'BA'
+ - 'DA'
+ - 'FA'
+ - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
+ - GrantedAccess|startswith:
+ - '0x100000'
+ - '0x1418' # car.2019-04-004
+ - '0x1438' # car.2019-04-004
+ - '0x143a' # car.2019-04-004
+ - '0x1f0fff'
+ - '0x1f1fff'
+ - '0x1f2fff'
+ - '0x1f3fff'
+ - '0x40'
+ # - '0x1000' # minimum access requirements to query basic info from service
+ # - '0x1010' # car.2019-04-004
+ # - '0x1400'
+ # - '0x1410' # car.2019-04-004 # Covered by 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
+ filter_main_generic:
+ # When using this rule. Remove this filter and replace it by the path of the specific AV you use
+ SourceImage|contains:
+ - ':\Program Files (x86)\'
+ - ':\Program Files\'
+ - ':\Windows\System32\'
+ - ':\Windows\SysWOW64\'
+ filter_optional_malwarebytes:
+ SourceImage|endswith: ':\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
+ filter_optional_vscode:
+ SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
+ filter_main_windefend_1:
+ SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\'
+ SourceImage|endswith: '\MsMpEng.exe'
+ filter_main_windefend_2:
+ CallTrace|contains|all:
+ - '|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
+ - '}\mpengine.dll+'
+ GrantedAccess: '0x1418'
+ filter_main_windefend_3:
+ CallTrace|contains:
+ - '|c:\program files\windows defender\mprtp.dll'
+ - '|c:\program files\windows defender\MpClient.dll'
+ filter_optional_vmwaretools:
+ SourceImage|contains: ':\ProgramData\VMware\VMware Tools\'
+ SourceImage|endswith: '\vmtoolsd.exe'
+ filter_optional_sysinternals_process_explorer:
+ SourceImage|endswith:
+ - '\PROCEXP64.EXE'
+ - '\PROCEXP.EXE'
+ GrantedAccess: '0x40'
+ filter_optional_mbami:
+ SourceImage|endswith: '\MBAMInstallerService.exe'
+ GrantedAccess: '0x40'
+ filter_optional_nextron:
+ SourceImage|endswith:
+ - '\aurora-agent-64.exe'
+ - '\aurora-agent.exe'
+ - '\thor.exe'
+ - '\thor64.exe'
+ GrantedAccess: '0x40'
+ filter_main_explorer:
+ SourceImage|endswith: '\explorer.exe'
+ GrantedAccess: '0x401'
+ filter_optional_sysinternals_handle:
+ SourceImage|endswith:
+ - '\handle.exe'
+ - '\handle64.exe'
+ GrantedAccess: '0x40'
+ filter_optional_webex:
+ SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
+ GrantedAccess: '0x401'
+ filter_optional_steam_apps:
+ SourceImage|contains: '\SteamLibrary\steamapps\'
+ condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+ - Legitimate software such as AV and EDR
+level: medium
diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml
similarity index 94%
rename from rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml
rename to rules/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml
index c0029c73ea5..cab67250e13 100644
--- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml
@@ -1,10 +1,10 @@
-title: Rare GrantedAccess Flags on LSASS Access
+title: Uncommon GrantedAccess Flags On LSASS
id: 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
related:
- id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
type: obsoletes
status: test
-description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)
+description: Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410
references:
- https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -13,7 +13,7 @@ references:
- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
author: Florian Roth (Nextron Systems)
date: 2022/03/13
-modified: 2022/11/13
+modified: 2023/11/30
tags:
- attack.credential_access
- attack.t1003.001
@@ -28,18 +28,18 @@ detection:
# Absolute paths to programs that cause false positives
filter1:
SourceImage:
- - 'C:\WINDOWS\system32\taskmgr.exe'
+ - 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe'
- 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe'
- - 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
- - 'C:\WINDOWS\system32\taskhostw.exe'
- 'C:\Program Files\Windows Defender\MsMpEng.exe'
- - 'C:\Windows\SysWOW64\msiexec.exe'
- - 'C:\Windows\System32\msiexec.exe'
+ - 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
- 'C:\Windows\System32\lsass.exe'
+ - 'C:\Windows\System32\msiexec.exe'
- 'C:\WINDOWS\System32\perfmon.exe'
+ - 'C:\WINDOWS\system32\taskhostw.exe'
+ - 'C:\WINDOWS\system32\taskmgr.exe'
- 'C:\WINDOWS\system32\wbem\wmiprvse.exe'
+ - 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\sysWOW64\wbem\wmiprvse.exe'
- - 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe'
# Windows Defender
filter2:
SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
@@ -104,10 +104,6 @@ detection:
- '0x410'
- '0x10'
condition: selection and not 1 of filter*
-fields:
- - User
- - SourceImage
- - GrantedAccess
falsepositives:
- Legitimate software accessing LSASS process for legitimate reason
level: medium
diff --git a/rules/windows/process_access/proc_access_win_lsass_werfault.yml b/rules/windows/process_access/proc_access_win_lsass_werfault.yml
index 1df4221137f..882813b6d32 100644
--- a/rules/windows/process_access/proc_access_win_lsass_werfault.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_werfault.yml
@@ -1,4 +1,4 @@
-title: WerFault Accassing LSASS
+title: Credential Dumping Attempt Via WerFault
id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7
status: test
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
@@ -6,7 +6,7 @@ references:
- https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507
author: Florian Roth (Nextron Systems)
date: 2012/06/27
-modified: 2022/10/09
+modified: 2023/11/29
tags:
- attack.credential_access
- attack.t1003.001
diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml b/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml
similarity index 82%
rename from rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml
rename to rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml
index b85b77accf0..51e310eb74e 100644
--- a/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml
@@ -1,13 +1,15 @@
-title: LSASS Access from White-Listed Processes
+title: LSASS Access From Potentially White-Listed Processes
id: 4be8b654-0c01-4c9d-a10c-6b28467fc651
status: test
-description: Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference
+description: |
+ Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
- https://twitter.com/mrd0x/status/1460597833917251595
author: Florian Roth (Nextron Systems)
date: 2022/02/10
+modified: 2023/11/29
tags:
- attack.credential_access
- attack.t1003.001
@@ -51,5 +53,5 @@ detection:
- 'FF'
condition: selection
falsepositives:
- - Unlikely, since these tools shouldn't access lsass.exe at all
+ - Unknown
level: high
diff --git a/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml
deleted file mode 100644
index b82d198260e..00000000000
--- a/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml
+++ /dev/null
@@ -1,67 +0,0 @@
-title: Potential Shellcode Injection
-id: 250ae82f-736e-4844-a68b-0b5e8cc887da
-status: test
-description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject
-author: Bhabesh Raj
-date: 2022/03/11
-modified: 2023/10/17
-tags:
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1055
-logsource:
- category: process_access
- product: windows
-detection:
- selection:
- GrantedAccess:
- - '0x147a'
- - '0x1f3fff'
- CallTrace|contains: 'UNKNOWN'
- filter_dell_folders:
- # If dell software is installed we get matches like these
- # Example 1:
- # SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
- # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
- # GrantedAccess: 0x1F3FFF
- # Example 2:
- # SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
- # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
- # GrantedAccess: 0x1F3FFF
- # Example 3:
- # SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
- # TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
- # GrantedAccess: 0x1F3FFF
- SourceImage|startswith:
- - 'C:\Program Files\Dell\'
- - 'C:\Program Files (x86)\Dell\'
- TargetImage|startswith:
- - 'C:\Program Files\Dell\'
- - 'C:\Program Files (x86)\Dell\'
- GrantedAccess: '0x1F3FFF'
- CallTrace|startswith: 'C:\Windows\System32\ntdll.dll'
- filter_dell_specifc:
- SourceImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
- TargetImage: 'C:\Windows\Explorer.EXE'
- GrantedAccess: '0x1F3FFF'
- CallTrace|startswith: 'C:\Windows\System32\ntdll.dll'
- filter_visual_studio:
- SourceImage:
- - 'C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PerfWatson2.exe'
- - 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PerfWatson2.exe'
- TargetImage:
- - 'C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe'
- - 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe'
- CallTrace|startswith: 'C:\Windows\System32\ntdll.dll'
- filter_ddvdatacollector:
- SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
- SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
- TargetImage: C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe
- filter_wmiprvese:
- SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe'
- TargetImage: 'C:\Windows\system32\lsass.exe'
- CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll'
- condition: selection and not 1 of filter_*
-falsepositives:
- - Unknown
-level: high
diff --git a/rules/windows/process_access/proc_access_win_susp_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_susp_direct_syscall_ntopenprocess.yml
new file mode 100644
index 00000000000..7c1b4141d98
--- /dev/null
+++ b/rules/windows/process_access/proc_access_win_susp_direct_syscall_ntopenprocess.yml
@@ -0,0 +1,68 @@
+title: Direct Syscall of NtOpenProcess
+id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
+status: experimental
+description: Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.
+references:
+ - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
+author: Christian Burkard (Nextron Systems), Tim Shelton (FP)
+date: 2021/07/28
+modified: 2023/11/27
+tags:
+ - attack.execution
+ - attack.t1106
+logsource:
+ category: process_access
+ product: windows
+detection:
+ selection:
+ CallTrace|startswith: 'UNKNOWN'
+ filter_main_vcredist:
+ TargetImage|endswith: 'vcredist_x64.exe'
+ SourceImage|endswith: 'vcredist_x64.exe'
+ filter_main_generic:
+ # Examples include "systeminfo", "backgroundTaskHost", "AUDIODG"
+ SourceImage|contains:
+ - ':\Program Files (x86)\'
+ - ':\Program Files\'
+ - ':\Windows\System32\'
+ - ':\Windows\SysWOW64\'
+ - ':\Windows\WinSxS\'
+ TargetImage|contains:
+ - ':\Program Files (x86)\'
+ - ':\Program Files\'
+ - ':\Windows\System32\'
+ - ':\Windows\SysWOW64\'
+ - ':\Windows\WinSxS\'
+ filter_main_kerneltrace_edge:
+ # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
+ Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
+ filter_optional_vmware:
+ TargetImage|endswith: ':\Windows\system32\systeminfo.exe'
+ SourceImage|endswith: 'setup64.exe' # vmware
+ filter_optional_cylance:
+ SourceImage|endswith: ':\Windows\Explorer.EXE'
+ TargetImage|endswith: ':\Program Files\Cylance\Desktop\CylanceUI.exe'
+ filter_optional_amazon:
+ SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
+ TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
+ filter_optional_vscode: # VsCode
+ SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
+ TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
+ filter_optional_teams: # MS Teams
+ TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
+ SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
+ filter_optional_discord: # Discord
+ TargetImage|contains: '\AppData\Local\Discord\'
+ TargetImage|endswith: '\Discord.exe'
+ filter_optional_yammer:
+ SourceImage|contains: '\AppData\Local\yammerdesktop\app-'
+ SourceImage|endswith: '\Yammer.exe'
+ TargetImage|contains: '\AppData\Local\yammerdesktop\app-'
+ TargetImage|endswith: '\Yammer.exe'
+ GrantedAccess: '0x1000'
+ filter_optional_evernote:
+ TargetImage|endswith: '\Evernote\Evernote.exe'
+ condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml
similarity index 87%
rename from rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
rename to rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml
index b853faf8e5b..13f56b61c52 100644
--- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
+++ b/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml
@@ -7,7 +7,7 @@ references:
- https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
author: frack113
date: 2023/01/07
-modified: 2023/11/09
+modified: 2023/11/27
tags:
- attack.defense_evasion
- attack.t1562.002
@@ -47,16 +47,11 @@ detection:
- ':\Users\'
- '\AppData\Local\GitHubDesktop\app-'
filter_main_dotnet:
- SourceImage|contains:
- - ':\Windows\Microsoft.NET\Framework\v'
- - ':\Windows\Microsoft.NET\Framework64\v'
- SourceImage|endswith: '\NGenTask.exe'
- TargetImage|contains:
- - ':\Windows\Microsoft.NET\Framework\v'
- - ':\Windows\Microsoft.NET\Framework64\v'
+ SourceImage|contains: ':\Windows\Microsoft.NET\'
+ TargetImage|contains: ':\Windows\Microsoft.NET\'
filter_main_taskhost:
SourceImage|contains:
- - ':\WINDOWS\system32\taskhostw.exe'
+ - ':\Windows\system32\taskhostw.exe'
- ':\Windows\system32\taskhost.exe'
TargetImage|contains:
- ':\Windows\Microsoft.NET\Framework\v'
diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml
deleted file mode 100644
index b9d2d0811f0..00000000000
--- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml
+++ /dev/null
@@ -1,111 +0,0 @@
-title: Suspicious GrantedAccess Flags on LSASS Access
-id: a18dd26b-6450-46de-8c91-9659150cf088
-related:
- - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
- type: obsoletes
-status: experimental
-description: Detects process access to LSASS memory with suspicious access flags
-references:
- - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
-author: Florian Roth (Nextron Systems)
-date: 2021/11/22
-modified: 2023/05/17
-tags:
- - attack.credential_access
- - attack.t1003.001
- - attack.s0002
-logsource:
- category: process_access
- product: windows
-detection:
- selection:
- TargetImage|endswith: '\lsass.exe'
- GrantedAccess|endswith:
- # - '10' # covered in rule 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
- - '30'
- - '50'
- - '70'
- - '90'
- - 'B0'
- - 'D0'
- - 'F0'
- - '18'
- - '38'
- - '58'
- - '78'
- - '98'
- - 'B8'
- - 'D8'
- - 'F8'
- - '1A'
- - '3A'
- - '5A'
- - '7A'
- - '9A'
- - 'BA'
- - 'DA'
- - 'FA'
- - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- # Absolute paths to programs that cause false positives
- filter_absolute:
- SourceImage:
- - 'C:\WINDOWS\system32\taskmgr.exe'
- - 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe'
- - 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
- - 'C:\WINDOWS\system32\taskhostw.exe'
- - 'C:\Program Files\Windows Defender\MsMpEng.exe'
- - 'C:\Windows\SysWOW64\msiexec.exe'
- - 'C:\Windows\System32\msiexec.exe'
- - 'C:\Windows\System32\lsass.exe'
- - 'C:\WINDOWS\System32\perfmon.exe'
- - 'C:\Windows\System32\MRT.exe'
- - 'C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe'
- - 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe'
- # VSCode
- filter_vscode:
- SourceImage|startswith: 'C:\Users\'
- SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
- # Windows Defender
- filter_windefend_1:
- SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
- SourceImage|endswith: '\MsMpEng.exe'
- filter_windefend_2:
- CallTrace|contains|all:
- - '|C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
- - '}\mpengine.dll+'
- GrantedAccess: '0x1418'
- filter_windefend_3:
- # Trigger Win7
- SourceImage: 'C:\Program Files\Microsoft Security Client\MsMpEng.exe'
- GrantedAccess: '0x1418'
- # VMware Tools
- filter_vmwaretools:
- SourceImage|startswith: 'C:\ProgramData\VMware\VMware Tools\'
- SourceImage|endswith: '\vmtoolsd.exe'
- # Antivirus and EDR agents
- filter_generic_av:
- # When using this rule. Remove this filter and replace it by the path of the specific AV you use
- SourceImage|startswith:
- - 'C:\Program Files\'
- - 'C:\Program Files (x86)\'
- SourceImage|contains: 'Antivirus'
- filter_mrt:
- SourceImage: 'C:\WINDOWS\system32\MRT.exe'
- GrantedAccess: '0x1418'
- filter_mcafee:
- SourceImage: 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe'
- filter_nextron:
- # Remove this if you don't use Nextron Products
- SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\'
- SourceImage|endswith:
- - '\thor64.exe'
- - '\thor.exe'
- GrantedAccess: '0x1fffff'
- condition: selection and not 1 of filter_*
-falsepositives:
- - Legitimate software such as AV and EDR
-level: high
diff --git a/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml b/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml
new file mode 100644
index 00000000000..437a479b6cd
--- /dev/null
+++ b/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml
@@ -0,0 +1,67 @@
+title: Potential Shellcode Injection
+id: 250ae82f-736e-4844-a68b-0b5e8cc887da
+status: test
+description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject
+author: Bhabesh Raj
+date: 2022/03/11
+modified: 2023/11/29
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1055
+logsource:
+ category: process_access
+ product: windows
+detection:
+ selection:
+ GrantedAccess:
+ - '0x147a'
+ - '0x1f3fff'
+ CallTrace|contains: 'UNKNOWN'
+ filter_optional_dell_folders:
+ # If dell software is installed we get matches like these
+ # Example 1:
+ # SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
+ # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
+ # GrantedAccess: 0x1F3FFF
+ # Example 2:
+ # SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
+ # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
+ # GrantedAccess: 0x1F3FFF
+ # Example 3:
+ # SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
+ # TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
+ # GrantedAccess: 0x1F3FFF
+ SourceImage|contains:
+ - ':\Program Files\Dell\'
+ - ':\Program Files (x86)\Dell\'
+ TargetImage|contains:
+ - ':\Program Files\Dell\'
+ - ':\Program Files (x86)\Dell\'
+ GrantedAccess: '0x1F3FFF'
+ CallTrace|startswith: '?:\Windows\System32\ntdll.dll'
+ filter_optional_dell_specifc:
+ SourceImage|endswith: ':\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
+ TargetImage|endswith: ':\Windows\Explorer.EXE'
+ GrantedAccess: '0x1F3FFF'
+ CallTrace|startswith: '?:\Windows\System32\ntdll.dll'
+ filter_optional_visual_studio:
+ SourceImage|endswith:
+ - ':\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\PerfWatson2.exe'
+ - ':\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\PerfWatson2.exe'
+ TargetImage|endswith:
+ - ':\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe'
+ - ':\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe'
+ CallTrace|startswith: '?:\Windows\System32\ntdll.dll'
+ filter_optional_ddvdatacollector:
+ SourceImage|contains: ':\Program Files\Microsoft Visual Studio\'
+ SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
+ TargetImage|endswith: ':\Program Files\Dell\DellDataVault\DDVDataCollector.exe'
+ filter_optional_wmiprvese:
+ SourceImage|endswith: ':\Windows\System32\Wbem\Wmiprvse.exe'
+ TargetImage|endswith: ':\Windows\system32\lsass.exe'
+ CallTrace|startswith: '?:\Windows\SYSTEM32\ntdll.dll'
+ condition: selection and not 1 of filter_optional_*
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml b/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml
deleted file mode 100644
index 8f9ad2a17ea..00000000000
--- a/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: SVCHOST Credential Dump
-id: 174afcfa-6e40-4ae9-af64-496546389294
-status: test
-description: Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials
-author: Florent Labouyrie
-date: 2021/04/30
-modified: 2022/10/09
-tags:
- - attack.t1548
-logsource:
- product: windows
- category: process_access
-detection:
- selection_process:
- TargetImage|endswith: '\svchost.exe'
- selection_memory:
- GrantedAccess: '0x143a'
- filter_trusted_process_access:
- SourceImage|endswith:
- - '*\services.exe'
- - '*\msiexec.exe'
- condition: selection_process and selection_memory and not filter_trusted_process_access
-falsepositives:
- - Non identified legit exectubale
-level: high
diff --git a/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml
new file mode 100644
index 00000000000..991906f4cea
--- /dev/null
+++ b/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml
@@ -0,0 +1,26 @@
+title: Credential Dumping Attempt Via Svchost
+id: 174afcfa-6e40-4ae9-af64-496546389294
+status: test
+description: Detects when a process tries to access the memory of svchost to potentially dump credentials.
+references:
+ - Internal Research
+author: Florent Labouyrie
+date: 2021/04/30
+modified: 2022/10/09
+tags:
+ - attack.t1548
+logsource:
+ product: windows
+ category: process_access
+detection:
+ selection:
+ TargetImage|endswith: '\svchost.exe'
+ GrantedAccess: '0x143a'
+ filter_main_known_processes:
+ SourceImage|endswith:
+ - '\services.exe'
+ - '\msiexec.exe'
+ condition: selection and not 1 of filter_main_*
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_access/proc_access_win_invoke_phantom.yml b/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml
old mode 100755
new mode 100644
similarity index 63%
rename from rules/windows/process_access/proc_access_win_invoke_phantom.yml
rename to rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml
index b1374edb8a8..1fd357197cb
--- a/rules/windows/process_access/proc_access_win_invoke_phantom.yml
+++ b/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml
@@ -1,7 +1,7 @@
-title: Potential Svchost Memory Access
+title: Suspicious Svchost Process Access
id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
status: test
-description: Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM Windows event logging service.
+description: Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
references:
- https://github.com/hlldz/Invoke-Phant0m
- https://twitter.com/timbmsft/status/900724491076214784
@@ -16,17 +16,17 @@ logsource:
product: windows
detection:
selection:
- TargetImage|endswith: '\WINDOWS\System32\svchost.exe'
+ TargetImage|endswith: ':\Windows\System32\svchost.exe'
GrantedAccess: '0x1F3FFF'
CallTrace|contains: 'UNKNOWN'
- filter_msbuild:
- SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
+ filter_main_msbuild:
+ SourceImage|contains: ':\Program Files\Microsoft Visual Studio\'
SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
# Just to make sure it's "really" .NET :)
CallTrace|contains:
- 'Microsoft.Build.ni.dll'
- 'System.ni.dll'
- condition: selection and not 1 of filter_*
+ condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml
similarity index 68%
rename from rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml
rename to rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml
index dfc7bf9512c..8d0246b6b22 100644
--- a/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml
+++ b/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml
@@ -1,13 +1,13 @@
-title: Load Undocumented Autoelevated COM Interface
+title: Function Call From Undocumented COM Interface EditionUpgradeManager
id: fb3722e4-1a06-46b6-b772-253e2e7db933
status: test
-description: COM interface (EditionUpgradeManager) that is not used by standard executables.
+description: Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
references:
- https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
- https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
author: oscd.community, Dmitry Uchakin
date: 2020/10/07
-modified: 2021/11/27
+modified: 2023/11/30
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -19,12 +19,6 @@ detection:
selection:
CallTrace|contains: 'editionupgrademanagerobj.dll'
condition: selection
-fields:
- - ComputerName
- - User
- - SourceImage
- - TargetImage
- - CallTrace
falsepositives:
- Unknown
-level: high
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml
index ab18d5659a9..b61f064bf71 100644
--- a/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml
+++ b/rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml
@@ -28,44 +28,44 @@ detection:
- '\wmiexec'
- '\wmipersist'
- Image|endswith:
- # - '\addcomputer_windows.exe'
- '\atexec_windows.exe'
- '\dcomexec_windows.exe'
- '\dpapi_windows.exe'
- # - '\esentutl_windows.exe'
- '\findDelegation_windows.exe'
- '\GetADUsers_windows.exe'
- # - '\getArch_windows.exe'
- '\GetNPUsers_windows.exe'
- '\getPac_windows.exe'
- '\getST_windows.exe'
- '\getTGT_windows.exe'
- '\GetUserSPNs_windows.exe'
- '\ifmap_windows.exe'
- # - '\lookupsid_windows.exe'
- '\mimikatz_windows.exe'
- # - '\mqtt_check_windows.exe'
- # - '\mssqlclient_windows.exe'
- # - '\mssqlinstance_windows.exe'
- '\netview_windows.exe'
- '\nmapAnswerMachine_windows.exe'
- # - '\ntfs-read_windows.exe'
- '\opdump_windows.exe'
- # - '\ping6_windows.exe'
- # - '\ping_windows.exe'
- '\psexec_windows.exe'
- # - '\raiseChild_windows.exe'
- '\rdp_check_windows.exe'
- # - '\registry-read_windows.exe'
- # - '\reg_windows.exe'
- '\sambaPipe_windows.exe'
- # - '\services_windows.exe'
- '\smbclient_windows.exe'
- '\smbserver_windows.exe'
- - '\sniffer_windows.exe'
- '\sniff_windows.exe'
+ - '\sniffer_windows.exe'
- '\split_windows.exe'
- '\ticketer_windows.exe'
+ # - '\addcomputer_windows.exe'
+ # - '\esentutl_windows.exe'
+ # - '\getArch_windows.exe'
+ # - '\lookupsid_windows.exe'
+ # - '\mqtt_check_windows.exe'
+ # - '\mssqlclient_windows.exe'
+ # - '\mssqlinstance_windows.exe'
+ # - '\ntfs-read_windows.exe'
+ # - '\ping_windows.exe'
+ # - '\ping6_windows.exe'
+ # - '\raiseChild_windows.exe'
+ # - '\reg_windows.exe'
+ # - '\registry-read_windows.exe'
+ # - '\services_windows.exe'
# - '\wmiquery_windows.exe'
condition: selection
falsepositives:
diff --git a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml
index 736eb477de8..0d75d980dff 100644
--- a/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml
+++ b/rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml
@@ -20,12 +20,12 @@ detection:
selection_img:
- OriginalFileName: 'winPEAS.exe'
- Image|endswith:
- - '\winPEASany.exe'
- '\winPEASany_ofs.exe'
- - '\winPEASx64.exe'
+ - '\winPEASany.exe'
- '\winPEASx64_ofs.exe'
- - '\winPEASx86.exe'
+ - '\winPEASx64.exe'
- '\winPEASx86_ofs.exe'
+ - '\winPEASx86.exe'
selection_cli_option:
CommandLine|contains:
- ' applicationsinfo' # Search installed applications information
diff --git a/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml
index d30a0db0b4a..ac2f2302657 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml
@@ -47,10 +47,6 @@ detection:
- '.msi'
- '.vbs'
condition: all of selection_*
-fields:
- - CommandLine
- - ParentProcess
- - CommandLine
falsepositives:
- Unknown
level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml b/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml
rename to rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml
diff --git a/rules/windows/process_tampering/proc_tampering_process_hollowing.yml b/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml
similarity index 55%
rename from rules/windows/process_tampering/proc_tampering_process_hollowing.yml
rename to rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml
index ddc610eecb6..d1c2be162ee 100644
--- a/rules/windows/process_tampering/proc_tampering_process_hollowing.yml
+++ b/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml
@@ -7,7 +7,7 @@ references:
- https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
date: 2022/01/25
-modified: 2023/09/16
+modified: 2023/11/28
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -18,37 +18,17 @@ logsource:
detection:
selection:
Type: 'Image is replaced'
- filter_main_generic_1:
+ filter_main_generic:
Image|contains:
- - ':\Program Files\'
- ':\Program Files (x86)'
- filter_main_generic_2:
- Image:
+ - ':\Program Files\'
- ':\Windows\System32\wbem\WMIADAP.exe'
- ':\Windows\SysWOW64\wbem\WMIADAP.exe'
filter_optional_opera:
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\opera.exe'
- filter_optional_chrome:
- Image:
- - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
- filter_optional_firefox:
- Image:
- - 'C:\Program Files\Mozilla Firefox\firefox.exe'
- - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
- filter_optional_edge_1:
- - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- - Image:
- - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
- filter_optional_edge_2:
- Image|startswith:
- - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- - 'C:\Program Files\Microsoft\EdgeCore\'
- Image|endswith:
- - '\msedge.exe'
- - '\msedgewebview2.exe'
+ filter_optional_edge:
+ Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
diff --git a/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml
similarity index 56%
rename from rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml
rename to rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml
index 4d0d4e9bbef..137b29a8b25 100644
--- a/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml
+++ b/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml
@@ -6,7 +6,7 @@ references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
-modified: 2023/09/06
+modified: 2023/11/28
tags:
- attack.defense_evasion
- attack.t1006
@@ -17,55 +17,47 @@ detection:
filter_main_floppy:
Device|contains: floppy
filter_main_generic:
- Image|startswith:
- - 'C:\Program Files\'
- - 'C:\Program Files (x86)\'
- - 'C:\Windows\System32\'
- - 'C:\Windows\SystemApps\'
- - 'C:\Windows\WinSxS\'
- - 'C:\Windows\servicing\'
- - 'C:\Windows\CCM\'
- - 'C:\Windows\uus\'
- filter_main_setuphost:
- Image: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe' # Related to Windows Upgrade/Update
+ Image|contains:
+ - ':\$WINDOWS.~BT\'
+ - ':\Program Files (x86)\'
+ - ':\Program Files\'
+ - ':\Windows\CCM\'
+ - ':\Windows\explorer.exe'
+ - ':\Windows\servicing\'
+ - ':\Windows\SoftwareDistribution\'
+ - ':\Windows\System32\'
+ - ':\Windows\SystemApps\'
+ - ':\Windows\uus\'
+ - ':\Windows\WinSxS\'
filter_main_system_images:
Image:
- - 'System'
- 'Registry'
- filter_main_specific:
- Image: 'C:\Windows\explorer.exe'
+ - 'System'
filter_main_windefender:
- Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+ Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith: '\MsMpEng.exe'
filter_main_microsoft_appdata:
Image|contains|all:
- - 'C:\Users\'
+ - ':\Users\'
- '\AppData\'
- '\Microsoft\'
- filter_main_windows_update_box:
- # ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wuauserv
- # Related to Windows Upgrade/Update
- Image|startswith: 'C:\Windows\SoftwareDistribution\Download'
- Image|endswith: '\WindowsUpdateBox.exe'
filter_main_ssd_nvme:
- Image|startswith: 'C:\Windows\Temp\'
+ Image|contains: ':\Windows\Temp\'
Image|endswith:
- - '\HostMetadata\NVMEHostmetadata.exe'
- '\Executables\SSDUpdate.exe'
+ - '\HostMetadata\NVMEHostmetadata.exe'
filter_main_null:
Image: null
filter_main_systemsettings:
- Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
+ Image|endswith: ':\Windows\ImmersiveControlPanel\SystemSettings.exe'
filter_optional_github_desktop:
- Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\GitHubDesktop\app-'
Image|endswith: '\resources\app\git\mingw64\bin\git.exe'
filter_optional_nextron:
- Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
+ Image|contains: ':\Windows\Temp\asgard2-agent\'
Image|endswith: '\thor.exe'
filter_optional_Keybase:
- Image|endswith: 'C:\Users\'
- Image|startswith: '\AppData\Local\Keybase\upd.exe'
+ Image|contains: '\AppData\Local\Keybase\upd.exe'
condition: not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely