diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml new file mode 100644 index 00000000000..379c53f74c4 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml @@ -0,0 +1,33 @@ +title: DLL Names Used By SVR For GraphicalProton Backdoor +id: e64c8ef3-9f98-40c8-b71e-96110991cb4c +status: experimental +description: Hunts known SVR-specific DLL names. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +author: CISA +date: 2023/12/18 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + - '\AclNumsInvertHost.dll' + - '\AddressResourcesSpec.dll' + - '\BlendMonitorStringBuild.dll' + - '\ChildPaletteConnected.dll' + - '\DeregisterSeekUsers.dll' + - '\HandleFrequencyAll.dll' + - '\HardSwapColor.dll' + - '\LengthInMemoryActivate.dll' + - '\ModeBitmapNumericAnimate.dll' + - '\ModeFolderSignMove.dll' + - '\ParametersNamesPopup.dll' + - '\PerformanceCaptionApi.dll' + - '\ScrollbarHandleGet.dll' + - '\UnregisterAncestorAppendAuto.dll' + - '\WowIcmpRemoveReg.dll' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml new file mode 100644 index 00000000000..7bc11682ecb --- /dev/null +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml @@ -0,0 +1,47 @@ +title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor +id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 +related: + - id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142 + type: similar +status: experimental +description: Hunts for known SVR-specific scheduled task names +author: CISA +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +date: 2023/12/18 +tags: + - attack.persistence +logsource: + service: security + product: windows +detection: + selection: + EventID: + - 4698 + - 4699 + - 4702 + TaskName: + - '\defender' + - '\Microsoft\DefenderService' + - '\Microsoft\Windows\Application Experience\StartupAppTaskCheck' + - '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck' + - '\Microsoft\Windows\ATPUpd' + - '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update' + - '\Microsoft\Windows\DefenderUPDService' + - '\Microsoft\Windows\IISUpdateService' + - '\Microsoft\Windows\Speech\SpeechModelInstallTask' + - '\Microsoft\Windows\WiMSDFS' + - '\Microsoft\Windows\Windows Defender\Defender Update Service' + - '\Microsoft\Windows\Windows Defender\Service Update' + - '\Microsoft\Windows\Windows Error Reporting\CheckReporting' + - '\Microsoft\Windows\Windows Error Reporting\SubmitReporting' + - '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart' + - '\Microsoft\Windows\WindowsDefenderService' + - '\Microsoft\Windows\WindowsDefenderService2' + - '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck' + - '\Microsoft\Windows\WindowsUpdate\Scheduled Check' + - '\WindowUpdate' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml new file mode 100644 index 00000000000..0afd02e2418 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml @@ -0,0 +1,48 @@ +title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler +id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142 +related: + - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog + type: similar +status: experimental +description: Hunts for known SVR-specific scheduled task names +author: CISA +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +date: 2023/12/18 +tags: + - attack.persistence +logsource: + product: windows + service: taskscheduler + definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' +detection: + selection: + EventID: + - 129 # Task Created + - 140 # Task Updated + - 141 # Task Deleted + TaskName: + - '\defender' + - '\Microsoft\DefenderService' + - '\Microsoft\Windows\Application Experience\StartupAppTaskCheck' + - '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck' + - '\Microsoft\Windows\ATPUpd' + - '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update' + - '\Microsoft\Windows\DefenderUPDService' + - '\Microsoft\Windows\IISUpdateService' + - '\Microsoft\Windows\Speech\SpeechModelInstallTask' + - '\Microsoft\Windows\WiMSDFS' + - '\Microsoft\Windows\Windows Defender\Defender Update Service' + - '\Microsoft\Windows\Windows Defender\Service Update' + - '\Microsoft\Windows\Windows Error Reporting\CheckReporting' + - '\Microsoft\Windows\Windows Error Reporting\SubmitReporting' + - '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart' + - '\Microsoft\Windows\WindowsDefenderService' + - '\Microsoft\Windows\WindowsDefenderService2' + - '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck' + - '\Microsoft\Windows\WindowsUpdate\Scheduled Check' + - '\WindowUpdate' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml similarity index 51% rename from rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml rename to rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml index 426d1093c11..cb5b748326e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml @@ -1,26 +1,26 @@ -title: Data Compressed - PowerShell +title: Compress-Archive Cmdlet Execution id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a status: test -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md author: Timur Zinniatullin, oscd.community date: 2019/10/21 -modified: 2022/12/25 +modified: 2023/12/15 tags: - attack.exfiltration - attack.t1560 + - detection.threat_hunting logsource: product: windows category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: selection: - ScriptBlockText|contains|all: - - '-Recurse' - - '|' - - 'Compress-Archive' + ScriptBlockText|contains: 'Compress-Archive' condition: selection falsepositives: - - Highly likely if archive operations are done via PowerShell. + - Likely level: low diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 77c56db45ec..0a1e4292ba5 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -9,7 +9,7 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 -modified: 2023/10/24 +modified: 2023/12/15 tags: - attack.defense_evasion - attack.persistence @@ -453,26 +453,26 @@ detection: Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\' Image|endswith: '\version.dll' filter_optional_office_appvpolicy: - Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe' - ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll' + Image|endswith: ':\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe' + ImageLoaded|endswith: ':\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll' filter_optional_azure: - ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' + ImageLoaded|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' filter_optional_dell: - Image|startswith: - - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' - - 'C:\Windows\System32\backgroundTaskHost.exe' - ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + Image|contains: + - ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + - ':\Windows\System32\backgroundTaskHost.exe' + ImageLoaded|contains: ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' filter_optional_dell_wldp: - Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + Image|contains: ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' Image|endswith: '\wldp.dll' filter_optional_checkpoint: - Image|startswith: - - 'C:\Program Files\CheckPoint\' - - 'C:\Program Files (x86)\CheckPoint\' + Image|contains: + - ':\Program Files\CheckPoint\' + - ':\Program Files (x86)\CheckPoint\' Image|endswith: '\SmartConsole.exe' - ImageLoaded|startswith: - - 'C:\Program Files\CheckPoint\' - - 'C:\Program Files (x86)\CheckPoint\' + ImageLoaded|contains: + - ':\Program Files\CheckPoint\' + - ':\Program Files (x86)\CheckPoint\' ImageLoaded|endswith: '\PolicyManager.dll' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml index c7eb42a2546..d2e570ff584 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml @@ -1,15 +1,22 @@ title: Zip A Folder With PowerShell For Staging In Temp - PowerShell -id: 71ff406e-b633-4989-96ec-bc49d825a412 +id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic related: - - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 - type: derived + - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module + type: similar + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script + type: similar + - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation + type: similar status: test -description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md -author: frack113 + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2021/07/20 -modified: 2023/10/27 +modified: 2023/12/18 tags: - attack.collection - attack.t1074.001 @@ -18,11 +25,10 @@ logsource: service: powershell-classic detection: selection: - Data|contains|all: - - 'Compress-Archive' - - ' -Path ' - - ' -DestinationPath ' - - '$env:TEMP\' + Data|contains: + - 'Compress-Archive -Path*-DestinationPath $env:TEMP' + - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\' + - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml index 8185505ce55..8ef177de6c4 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml @@ -1,15 +1,22 @@ title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module -id: daf7eb81-35fd-410d-9d7a-657837e602bb +id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module related: - - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 - type: derived + - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic + type: similar + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script + type: similar + - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation + type: similar status: test -description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md -author: frack113 + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2021/07/20 -modified: 2022/12/02 +modified: 2023/12/18 tags: - attack.collection - attack.t1074.001 @@ -18,13 +25,12 @@ logsource: category: ps_module definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b detection: - selection_4103: + selection: ContextInfo|contains|all: - - 'Compress-Archive ' - - ' -Path ' - - ' -DestinationPath ' - - '$env:TEMP\' - condition: selection_4103 + - 'Compress-Archive -Path*-DestinationPath $env:TEMP' + - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\' + - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\' + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml index 8e3d02546e7..1023cd6ee10 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml @@ -1,12 +1,22 @@ title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script -id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 +id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script +related: + - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic + type: similar + - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module + type: similar + - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation + type: similar status: test -description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md -author: frack113 + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2021/07/20 -modified: 2022/12/02 +modified: 2023/12/18 tags: - attack.collection - attack.t1074.001 @@ -15,13 +25,12 @@ logsource: category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: - selection_4104: - ScriptBlockText|contains|all: - - 'Compress-Archive ' - - ' -Path ' - - ' -DestinationPath ' - - '$env:TEMP\' - condition: selection_4104 + selection: + ScriptBlockText|contains: + - 'Compress-Archive -Path*-DestinationPath $env:TEMP' + - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\' + - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\' + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml index 28089bffb57..638262eb63a 100644 --- a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml @@ -20,7 +20,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest author: Craig Young, oscd.community, Georg Lauenstein date: 2021/07/24 -modified: 2023/02/04 +modified: 2023/12/15 tags: - attack.discovery - attack.t1016 @@ -32,24 +32,20 @@ detection: selection_nltest: - Image|endswith: '\nltest.exe' - OriginalFileName: 'nltestrk.exe' - selection_recon1: - CommandLine|contains|all: - - '/server' - - '/query' - selection_recon2: - CommandLine|contains: - - '/dclist:' - - '/parentdomain' - - '/domain_trusts' - - '/all_trusts' # Flag for /domain_trusts - - '/trusted_domains' - - '/user' - condition: selection_nltest and 1 of selection_recon* -fields: - - Image - - User - - CommandLine - - ParentCommandLine + selection_recon: + - CommandLine|contains|all: + - 'server' + - 'query' + - CommandLine|contains: + - '/user' + - 'all_trusts' # Flag for /domain_trusts + - 'dclist:' + - 'dnsgetdc:' + - 'domain_trusts' + - 'dsgetdc:' + - 'parentdomain' + - 'trusted_domains' + condition: all of selection_* falsepositives: - Legitimate administration use but user and host must be investigated -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml b/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml index d761577c210..d9795a0ebf0 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml @@ -1,13 +1,20 @@ -title: Zip A Folder With PowerShell For Staging In Temp -id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 +title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet +id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation related: - - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 - type: derived + - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic + type: similar + - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module + type: similar + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script + type: similar status: test -description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md -author: frack113 + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2021/07/20 modified: 2022/10/09 tags: @@ -18,11 +25,10 @@ logsource: category: process_creation detection: selection: - CommandLine|contains|all: - - 'Compress-Archive ' - - ' -Path ' - - ' -DestinationPath ' - - '$env:TEMP\' + CommandLine|contains: + - 'Compress-Archive -Path*-DestinationPath $env:TEMP' + - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\' + - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml index 38aa56f3739..b7d6ba43153 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml @@ -1,11 +1,11 @@ -title: Disabled RestrictedAdminMode For RDS - ProcCreation +title: RestrictedAdminMode Registry Value Tampering - ProcCreation id: 28ac00d6-22d9-4a3c-927f-bbd770104573 related: - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry type: similar status: test description: | - Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode. + Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise references: @@ -13,6 +13,7 @@ references: - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx author: frack113 date: 2023/01/13 +modified: 2023/12/15 tags: - attack.defense_evasion - attack.t1112 @@ -24,7 +25,6 @@ detection: CommandLine|contains|all: - '\System\CurrentControlSet\Control\Lsa\' - 'DisableRestrictedAdmin' - - ' 1' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml new file mode 100644 index 00000000000..fc9bf8c474b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml @@ -0,0 +1,31 @@ +title: Enable LM Hash Storage - ProcCreation +id: 98dedfdd-8333-49d4-9f23-d7018cccae53 +related: + - id: c420410f-c2d8-4010-856b-dffe21866437 # Registry + type: similar +status: test +description: | + Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. + By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a + - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password + - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/12/15 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains|all: + - '\System\CurrentControlSet\Control\Lsa\' + - 'NoLMHash' + - ' 0' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml index a7f7c53712e..f5530768c25 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ -author: frack113, Nasreddine Bencherchali +author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 modified: 2022/10/10 tags: diff --git a/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml b/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml index a098d0454df..0a26512174c 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/0gtweet/status/1354766164166115331 author: Florian Roth (Nextron Systems) date: 2021/01/28 -modified: 2022/10/09 +modified: 2023/12/15 tags: - attack.defense_evasion - attack.t1562.001 @@ -16,8 +16,6 @@ logsource: detection: selection: CommandLine|contains|all: - - 'reg' - - ' add ' - '\Services\VSS\Diag' - '/d Disabled' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml index 56671315a59..ceb02dd82b2 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml @@ -4,7 +4,7 @@ status: test description: Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. author: Sreeman date: 2021/06/11 -modified: 2022/08/05 +modified: 2023/12/15 tags: - attack.defense_evasion - attack.t1562 @@ -14,9 +14,8 @@ logsource: detection: selection: CommandLine|contains|all: - - 'reg add' - - '\system\currentcontrolset\control' - - 'write protection' + - '\System\CurrentControlSet\Control' + - 'Write Protection' - '0' CommandLine|contains: - 'storage' diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml index 4ca49d1f181..12f16076bfa 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml @@ -20,12 +20,12 @@ detection: - OriginalFileName: 'wmic.exe' selection_cli: CommandLine|contains: 'process' - filter: + filter_main_creation: CommandLine|contains|all: # Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}` - 'call' - 'create' - condition: all of selection* and not filter + condition: all of selection* and not 1 of filter_* falsepositives: - Unknown level: medium diff --git a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml index 098e845b946..df75d08f2a6 100644 --- a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml +++ b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml @@ -1,11 +1,11 @@ -title: Disabled RestrictedAdminMode For RDS +title: RestrictedAdminMode Registry Value Tampering id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 related: - id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation type: similar status: experimental description: | - Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode. + Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise references: @@ -13,7 +13,7 @@ references: - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx author: frack113 date: 2023/01/13 -modified: 2023/08/17 +modified: 2023/12/15 tags: - attack.defense_evasion - attack.t1112 @@ -23,7 +23,6 @@ logsource: detection: selection: TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin' - Details: 'DWORD (0x00000001)' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml new file mode 100644 index 00000000000..72a748c8d16 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml @@ -0,0 +1,29 @@ +title: Enable LM Hash Storage +id: c420410f-c2d8-4010-856b-dffe21866437 +related: + - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation + type: similar +status: experimental +description: | + Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. + By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a + - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password + - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/12/15 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + category: registry_set +detection: + selection: + TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash' + Details: 'DWORD (0x00000000)' + condition: selection +falsepositives: + - Unknown +level: high