Skip to content

Commit

Permalink
fix: fp first batch
Browse files Browse the repository at this point in the history
  • Loading branch information
@nasbench
nasbench committed Nov 9, 2023
1 parent c0e11f3 commit 83266fb
Show file tree
Hide file tree
Showing 7 changed files with 60 additions and 80 deletions.
1 change: 1 addition & 0 deletions .../win_security_scheduled_task_deletion.yml → .../win_security_scheduled_task_deletion.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ tags:
- attack.privilege_escalation
- car.2013-08-001
- attack.t1053.005
- detection.threat_hunting
logsource:
product: windows
service: security
Expand Down
1 change: 1 addition & 0 deletions ...ile_event_win_scheduled_task_creation.yml → ...ile_event_win_scheduled_task_creation.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ tags:
- attack.t1053.005
- attack.s0111
- car.2013-08-001
- detection.threat_hunting
logsource:
product: windows
category: file_event
Expand Down
1 change: 1 addition & 0 deletions ...ad/image_load_dll_system_drawing_load.yml → ...ad/image_load_dll_system_drawing_load.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ modified: 2023/02/22
tags:
- attack.collection
- attack.t1113
- detection.threat_hunting
logsource:
product: windows
category: image_load
Expand Down
3 changes: 2 additions & 1 deletion ...egistry_event_scheduled_task_creation.yml → ...egistry_event_scheduled_task_creation.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ tags:
- attack.s0111
- attack.t1053.005
- car.2013-08-001
- detection.threat_hunting
logsource:
product: windows
category: registry_event
Expand All @@ -24,5 +25,5 @@ detection:
- '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
condition: selection
falsepositives:
- Normal behaviour on Windows
- Likely as this is a normal behaviour on Windows
level: low
13 changes: 8 additions & 5 deletions rules/windows/builtin/security/win_security_iso_mount.yml
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
title: ISO Image Mount
title: ISO Image Mounted
id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
status: test
description: Detects the mount of ISO images on an endpoint
description: Detects the mount of an ISO image on an endpoint
references:
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
- https://twitter.com/MsftSecIntel/status/1257324139515269121
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
author: Syed Hasan (@syedhasan009)
date: 2021/05/29
modified: 2022/10/05
modified: 2023/11/09
tags:
- attack.initial_access
- attack.t1566.001
Expand All @@ -23,8 +23,11 @@ detection:
ObjectServer: 'Security'
ObjectType: 'File'
ObjectName|startswith: '\Device\CdRom'
filter:
ObjectName: '\Device\CdRom0\setup.exe'
filter_main_generic:
ObjectName:
- '\Device\CdRom0\autorun.ico'
- '\Device\CdRom0\setup.exe'
- '\Device\CdRom0\setup64.exe'
condition: selection and not filter
falsepositives:
- Software installation ISO files
Expand Down
36 changes: 5 additions & 31 deletions rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ references:
- https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
modified: 2023/08/08
modified: 2023/11/07
tags:
- attack.execution
- attack.t1047
Expand All @@ -25,41 +25,15 @@ detection:
- '\WMINet_Utils.dll'
- '\wmiprov.dll'
- '\wmiutils.dll'
filter_optional_generic:
filter_main_generic:
Image|contains:
- ':\Microsoft\Teams\current\Teams.exe'
- ':\Microsoft\Teams\Update.exe'
- ':\Windows\\explorer.exe'
- ':\Windows\Sysmon.exe'
- ':\Windows\Sysmon64.exe'
- ':\Windows\System32\CompatTelRunner.exe'
- ':\Windows\System32\DeviceCensus.exe'
- ':\Windows\System32\dfsrs.exe'
- ':\Windows\System32\dispdiag.exe'
- ':\Windows\System32\dxdiag.exe'
- ':\Windows\System32\gpresult.exe'
- ':\Windows\System32\logman.exe'
- ':\Windows\System32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least
- ':\Windows\System32\sdiagnhost.exe'
- ':\Windows\System32\SecurityHealthService.exe'
- ':\Windows\System32\ServerManager.exe'
- ':\Windows\System32\SIHClient.exe'
- ':\Windows\System32\svchost.exe'
- ':\Windows\System32\systeminfo.exe'
- ':\Windows\System32\taskhostw.exe' # c:\windows\system32\taskhostw.exe
- ':\Windows\System32\tasklist.exe'
- ':\Windows\System32\vds.exe'
- ':\Windows\System32\wbem\unsecapp.exe'
- ':\Windows\System32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871
- ':\Windows\System32\wbem\WmiApSrv.exe'
- ':\Windows\System32\wbem\WMIC.exe'
- ':\Windows\System32\wbem\WmiPrvSE.exe'
- ':\Windows\SysWOW64\explorer.exe'
- ':\Windows\SysWOW64\logman.exe'
- ':\Windows\SysWOW64\sdiagnhost.exe'
- ':\Windows\SysWOW64\svchost.exe'
- ':\Windows\SysWOW64\systeminfo.exe'
- ':\Windows\SysWOW64\wbem\WmiPrvSE.exe'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_optional_other:
Image|endswith:
- '\WindowsAzureGuestAgent.exe'
Expand All @@ -79,7 +53,7 @@ detection:
Image|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
condition: selection and not 1 of filter_optional_*
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: low
85 changes: 42 additions & 43 deletions rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
author: frack113
date: 2023/01/07
modified: 2023/01/25
modified: 2023/11/09
tags:
- attack.defense_evasion
- attack.t1562.002
Expand All @@ -20,59 +20,58 @@ detection:
CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+'
CallTrace|contains: '|UNKNOWN('
CallTrace|endswith: ')'
filter_generic:
filter_main_generic:
# To avoid FP with installed applications. This filter assumes that if an application is located here. The attacker has already achieved admin rights
- SourceImage|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- TargetImage|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
filter_thor:
SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\'
SourceImage|endswith: '\thor64.exe'
filter_githubdesktop:
SourceImage|startswith: 'C:\Users\'
SourceImage|contains: '\AppData\Local\GitHubDesktop\app-'
- SourceImage|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- TargetImage|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_optional_thor:
SourceImage|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_githubdesktop:
SourceImage|contains|all:
- ':\Users\'
- '\AppData\Local\GitHubDesktop\app-'
SourceImage|endswith:
- '\GitHubDesktop.exe'
- '\resources\app\git\usr\bin\sh.exe'
TargetImage|startswith: 'C:\Users\'
TargetImage|contains: '\AppData\Local\GitHubDesktop\app-'
filter_dotnet:
SourceImage|startswith:
- 'C:\Windows\Microsoft.NET\Framework\v'
- 'C:\Windows\Microsoft.NET\Framework64\v'
TargetImage|contains|all:
- ':\Users\'
- '\AppData\Local\GitHubDesktop\app-'
filter_main_dotnet:
SourceImage|contains:
- ':\Windows\Microsoft.NET\Framework\v'
- ':\Windows\Microsoft.NET\Framework64\v'
SourceImage|endswith: '\NGenTask.exe'
TargetImage|startswith:
- 'C:\Windows\Microsoft.NET\Framework\v'
- 'C:\Windows\Microsoft.NET\Framework64\v'
filter_taskhost:
SourceImage:
- 'C:\WINDOWS\system32\taskhostw.exe'
- 'C:\Windows\system32\taskhost.exe'
TargetImage|startswith:
- 'C:\Windows\Microsoft.NET\Framework\v'
- 'C:\Windows\Microsoft.NET\Framework64\v'
TargetImage|contains:
- ':\Windows\Microsoft.NET\Framework\v'
- ':\Windows\Microsoft.NET\Framework64\v'
filter_main_taskhost:
SourceImage|contains:
- ':\WINDOWS\system32\taskhostw.exe'
- ':\Windows\system32\taskhost.exe'
TargetImage|contains:
- ':\Windows\Microsoft.NET\Framework\v'
- ':\Windows\Microsoft.NET\Framework64\v'
TargetImage|endswith: '\NGenTask.exe'
filter_teams_to_update:
SourceImage|startswith: 'C:\Users\'
filter_optional_teams_to_update:
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
TargetImage|startswith: 'C:\Users\'
TargetImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
filter_teams_update_regsvr32:
SourceImage|startswith: 'C:\Users\'
filter_optional_teams_update_regsvr32:
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
TargetImage: 'C:\WINDOWS\SysWOW64\regsvr32.exe'
filter_teams_update_to_teams:
SourceImage|startswith: 'C:\Users\'
TargetImage|endswith: ':\WINDOWS\SysWOW64\regsvr32.exe'
filter_optional_teams_update_to_teams:
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
TargetImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
condition: selection and not 1 of filter_*
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium

0 comments on commit 83266fb

Please sign in to comment.