feat: update all process access rules

SigmaHQ · Nov 29, 2023 · 8f9dc5f · 8f9dc5f
1 parent fd7700f
commit 8f9dc5f
Show file tree

Hide file tree

Showing 32 changed files with 386 additions and 356 deletions.
diff --git a/...ss_win_lazagne_cred_dump_lsass_access.yml → ...ss_win_lazagne_cred_dump_lsass_access.yml b/...ss_win_lazagne_cred_dump_lsass_access.yml → ...ss_win_lazagne_cred_dump_lsass_access.yml
diff --git a/...ess/proc_access_win_lsass_susp_access.yml → ...ows/proc_access_win_lsass_susp_access.yml b/...ess/proc_access_win_lsass_susp_access.yml → ...ows/proc_access_win_lsass_susp_access.yml
@@ -1,6 +1,6 @@
 title: Credential Dumping Tools Accessing LSASS Memory
 id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
-status: experimental
+status: deprecated
 description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools
 references:
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -9,7 +9,7 @@ references:
     - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
 date: 2017/02/16
-modified: 2023/03/22
+modified: 2023/11/30
 tags:
     - attack.credential_access
     - attack.t1003.001

diff --git a/...s_win_pypykatz_cred_dump_lsass_access.yml → ...s_win_pypykatz_cred_dump_lsass_access.yml b/...s_win_pypykatz_cred_dump_lsass_access.yml → ...s_win_pypykatz_cred_dump_lsass_access.yml
diff --git a/...access_win_malware_verclsid_shellcode.yml → ...access_win_malware_verclsid_shellcode.yml b/...access_win_malware_verclsid_shellcode.yml → ...access_win_malware_verclsid_shellcode.yml
@@ -11,22 +11,23 @@ tags:
     - attack.defense_evasion
     - attack.privilege_escalation
     - attack.t1055
+    - detection.emerging_threats
 logsource:
     category: process_access
     product: windows
-    definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+    definition: 'Requirements: The following config is required to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
 detection:
-    selection:
+    selection_target:
         TargetImage|endswith: '\verclsid.exe'
         GrantedAccess: '0x1FFFFF'
-    combination1:
+    selection_calltrace_1:
         CallTrace|contains|all:
             - '|UNKNOWN('
             - 'VBE7.DLL'
-    combination2:
+    selection_calltrace_2:
         SourceImage|contains: '\Microsoft Office\'
         CallTrace|contains: '|UNKNOWN'
-    condition: selection and 1 of combination*
+    condition: selection_target and 1 of selection_calltrace_*
 falsepositives:
     - Unknown
 level: high
diff --git a/...api_in_powershell_credentials_dumping.yml → ...oc_access_win_lsass_powershell_access.yml b/...api_in_powershell_credentials_dumping.yml → ...oc_access_win_lsass_powershell_access.yml
@@ -6,15 +6,16 @@ related:
     - id: fb656378-f909-47c1-8747-278bf09f4f4f
       type: similar
 status: test
-description: Detects PowerShell processes requesting access to "lsass.exe"
+description: Detects PowerShell process requesting access to "lsass.exe". Which can be indicative of potential credential dumping attempts
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 author: oscd.community, Natalia Shornikova
 date: 2020/10/06
-modified: 2022/12/18
+modified: 2023/11/28
 tags:
     - attack.credential_access
     - attack.t1003.001
+    - detection.threat_hunting
 logsource:
     product: windows
     category: process_access
@@ -27,4 +28,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: medium
diff --git a/...in_susp_proc_access_lsass_susp_source.yml → ..._access_win_lsass_susp_source_process.yml b/...in_susp_proc_access_lsass_susp_source.yml → ..._access_win_lsass_susp_source_process.yml
diff --git a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml
@@ -23,10 +23,6 @@ detection:
     selection:
         CallTrace|contains: 'cmlua.dll'
     condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
-    - Details
 falsepositives:
     - Legitimate CMSTP use (unlikely in modern enterprise environments)
 level: high
diff --git a/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml b/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml
@@ -1,4 +1,4 @@
-title: CobaltStrike BOF Injection Pattern
+title: HackTool - CobaltStrike BOF Injection Pattern
 id: 09706624-b7f6-455d-9d02-adee024cee1d
 status: test
 description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
@@ -7,7 +7,7 @@ references:
     - https://github.com/boku7/spawn
 author: Christian Burkard (Nextron Systems)
 date: 2021/08/04
-modified: 2022/12/31
+modified: 2023/11/28
 tags:
     - attack.execution
     - attack.t1106

diff --git a/rules/windows/process_access/proc_access_win_hktl_generic_access.yml b/rules/windows/process_access/proc_access_win_hktl_generic_access.yml
@@ -1,4 +1,4 @@
-title: Generic HackTool Process Access
+title: HackTool - Generic Process Access
 id: d0d2f720-d14f-448d-8242-51ff396a334e
 status: experimental
 description: Detects process access requests from hacktool processes based on their default image name

diff --git a/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml b/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml
@@ -1,11 +1,12 @@
-title: HandleKatz Duplicating LSASS Handle
+title: HackTool - HandleKatz Duplicating LSASS Handle
 id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
 status: test
 description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
 references:
     - https://github.com/codewhitesec/HandleKatz
 author: Bhabesh Raj (rule), @thefLinkk
 date: 2022/06/27
+modified: 2023/11/28
 tags:
     - attack.execution
     - attack.t1106
@@ -18,11 +19,11 @@ detection:
     selection:
         TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
         GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
-    call_trace:  # C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
+        # Example: C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
         CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+'
         CallTrace|contains: '|UNKNOWN('
         CallTrace|endswith: ')'
-    condition: selection and call_trace
+    condition: selection
 falsepositives:
     - Unknown
 level: high
diff --git a/...s_win_littlecorporal_generated_maldoc.yml → ..._hktl_littlecorporal_generated_maldoc.yml b/...s_win_littlecorporal_generated_maldoc.yml → ..._hktl_littlecorporal_generated_maldoc.yml
@@ -1,12 +1,12 @@
-title: LittleCorporal Generated Maldoc Injection
+title: HackTool - LittleCorporal Generated Maldoc Injection
 id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
 status: test
 description: Detects the process injection of a LittleCorporal generated Maldoc.
 references:
     - https://github.com/connormcgarr/LittleCorporal
 author: Christian Burkard (Nextron Systems)
 date: 2021/08/09
-modified: 2022/06/02
+modified: 2023/11/28
 tags:
     - attack.execution
     - attack.t1204.002

diff --git a/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml b/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml
@@ -1,4 +1,4 @@
-title: SysmonEnte Usage
+title: HackTool - SysmonEnte Execution
 id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e
 status: test
 description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
@@ -8,27 +8,31 @@ references:
     - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png
 author: Florian Roth (Nextron Systems)
 date: 2022/09/07
-modified: 2022/09/09
+modified: 2023/11/28
 tags:
     - attack.defense_evasion
     - attack.t1562.002
 logsource:
     category: process_access
     product: windows
 detection:
-    selection_1:
-        TargetImage: 'C:\Windows\Sysmon64.exe'
+    selection_sysmon:
+        TargetImage|contains:
+            - ':\Windows\Sysmon.exe'
+            - ':\Windows\Sysmon64.exe'
         GrantedAccess: '0x1400'
-    filter_1:
-        SourceImage|startswith:
-            - 'C:\Program Files'
-            - 'C:\Windows\System32\'
-    filter_msdefender:
-        SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
-        SourceImage|endswith: '\MsMpEng.exe'
     selection_calltrace:
         CallTrace: 'Ente'
-    condition: ( selection_1 and not 1 of filter_* ) or selection_calltrace
+    filter_main_generic:
+        SourceImage|contains:
+            - ':\Program Files (x86)\'
+            - ':\Program Files\'
+            - ':\Windows\System32\'
+            - ':\Windows\SysWOW64\'
+    filter_main_msdefender:
+        SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
+        SourceImage|endswith: '\MsMpEng.exe'
+    condition: ( selection_sysmon and not 1 of filter_main_* ) or selection_calltrace
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml b/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml
@@ -7,7 +7,7 @@ references:
     - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 date: 2020/10/20
-modified: 2022/10/09
+modified: 2023/11/29
 tags:
     - attack.credential_access
     - attack.t1003.001
@@ -17,9 +17,9 @@ logsource:
 detection:
     selection:
         TargetImage|endswith: '\lsass.exe'
-        SourceImage: 'C:\Windows\System32\rundll32.exe'
+        SourceImage|endswith: '\rundll32.exe'
         CallTrace|contains: 'comsvcs.dll'
     condition: selection
 falsepositives:
     - Unknown
-level: critical
+level: high
diff --git a/...c_access_win_lsass_memdump_indicators.yml → ...c_access_win_lsass_dump_keyword_image.yml b/...c_access_win_lsass_memdump_indicators.yml → ...c_access_win_lsass_dump_keyword_image.yml
@@ -1,12 +1,13 @@
-title: LSASS Memory Access by Tool Named Dump
+title: LSASS Memory Access by Tool With Dump Keyword In Name
 id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
 status: test
-description: Detects a possible process memory dump based on a keyword in the file name of the accessing process
+description: Detects lsass process access request from a source process with the "dump" keyword in its image name.
 references:
     - https://twitter.com/_xpn_/status/1491557187168178176
     - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
 author: Florian Roth (Nextron Systems)
 date: 2022/02/10
+modified: 2023/11/29
 tags:
     - attack.credential_access
     - attack.t1003.001

diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml
@@ -1,15 +1,17 @@
-title: LSASS Memory Dump
+title: Credential Dumping Activity Via Lsass
 id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
-status: test
-description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
+status: experimental
+description: |
+    Detects process access requests to the Lsass process with specific call trace calls and access masks.
+    This behaviour is expressed by many credential dumping tool such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even Taskmgr dumping feature.
 references:
     - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
     - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md
     - https://research.splunk.com/endpoint/windows_possible_credential_dumping/
 author: Samir Bousseaden, Michael Haag
 date: 2019/04/03
-modified: 2022/09/29
+modified: 2023/11/29
 tags:
     - attack.credential_access
     - attack.t1003.001
@@ -21,28 +23,35 @@ detection:
     selection:
         TargetImage|endswith: '\lsass.exe'
         GrantedAccess|contains:
-            # - '0x1fffff' # Too many false positives
-            # - '0x01000'  # Too many false positives
-            # - '0x1010'   # Too many false positives
             - '0x1038'
-            # - '0x40'   # Too many false positives
-            # - '0x1400'  # Too many false positives
-            # - '0x1410' # Too many false positives
-            - '0x1438'
             - '0x143a'
+            - '0x1438'
+            - '0x1000'
+            - '0x01000'  # Too many false positives
+            - '0x1010'   # Too many false positives
+            - '0x1400'  # Too many false positives
+            - '0x1410' # Too many false positives
+            - '0x1fffff' # Too many false positives
+            - '0x40'   # Too many false positives
         CallTrace|contains:
-            - 'dbghelp.dll'
             - 'dbgcore.dll'
+            - 'dbghelp.dll'
+            - 'kernel32.dll'
+            - 'kernelbase.dll'
             - 'ntdll.dll'
-    filter_thor:
+    filter_main_system_user:
+        SourceUser|contains: # Covers many language settings
+            - 'AUTHORI'
+            - 'AUTORI'
+    filter_optional_thor:
         CallTrace|contains|all:
-            - '|C:\Windows\Temp\asgard2-agent\'
+            - ':\Windows\Temp\asgard2-agent\'
             - '\thor\thor64.exe+'
             - '|UNKNOWN('
         GrantedAccess: '0x103800'
-    filter_sysmon:
-        SourceImage: 'C:\Windows\Sysmon64.exe'
-    condition: selection and not 1 of filter*
+    filter_optional_sysmon:
+        SourceImage|endswith: ':\Windows\Sysmon64.exe'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
-    - False positives are present when looking for 0x1410. Exclusions may be required.
+    - Unknown
 level: high
diff --git a/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml b/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml
@@ -0,0 +1,37 @@
+title: Credential Dumping Activity By Python Based Tool
+id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
+related:
+    - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
+      type: obsoletes
+    - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
+      type: obsoletes
+status: stable
+description: Detects LSASS process access for potential credential dumping by a python like tool such as LaZagne or Pypykatz.
+references:
+    - https://twitter.com/bh4b3sh/status/1303674603819081728
+    - https://github.com/skelsec/pypykatz
+author: Bhabesh Raj, Jonhnathan Ribeiro
+date: 2023/11/27
+modified: 2023/11/29
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+    - attack.s0349
+logsource:
+    category: process_access
+    product: windows
+detection:
+    selection:
+        TargetImage|endswith: '\lsass.exe'
+        CallTrace|contains|all:
+            - '_ctypes.pyd+'
+            - ':\Windows\System32\KERNELBASE.dll+'
+            - ':\Windows\SYSTEM32\ntdll.dll+'
+        CallTrace|contains:
+            - 'python27.dll+'
+            - 'python3*.dll+'
+        GrantedAccess: '0x1FFFFF'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/...proc_access_win_mimikatz_trough_winrm.yml → ..._win_lsass_remote_access_trough_winrm.yml b/...proc_access_win_mimikatz_trough_winrm.yml → ..._win_lsass_remote_access_trough_winrm.yml
@@ -1,12 +1,12 @@
-title: Mimikatz through Windows Remote Management
+title: Remote Lsass Process Access Through Windows Remote Management
 id: aa35a627-33fb-4d04-a165-d33b4afca3e8
 status: stable
-description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
+description: Detects remote access to the lsass process via WinRM. Could be a sign of credential dumping from tools such as mimikatz.
 references:
     - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
 author: Patryk Prauze - ING Tech
 date: 2019/05/20
-modified: 2021/06/21
+modified: 2023/11/29
 tags:
     - attack.credential_access
     - attack.execution
@@ -21,10 +21,10 @@ logsource:
 detection:
     selection:
         TargetImage|endswith: '\lsass.exe'
-        SourceImage: 'C:\Windows\system32\wsmprovhost.exe'
-    filter:
+        SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
+    filter_main_access:
         GrantedAccess: '0x80000000'
-    condition: selection and not filter
+    condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unlikely
 level: high
diff --git a/..._access/proc_access_win_susp_seclogon.yml → ...proc_access_win_lsass_seclogon_access.yml b/..._access/proc_access_win_susp_seclogon.yml → ...proc_access_win_lsass_seclogon_access.yml
@@ -1,12 +1,12 @@
 title: Suspicious LSASS Access Via MalSecLogon
 id: 472159c5-31b9-4f56-b794-b766faa8b0a7
 status: test
-description: Detects suspicious access to Lsass handle via a call trace to "seclogon.dll"
+description: Detects suspicious access to Lsass handle via a call trace to "seclogon.dll" with a suspicious access right.
 references:
     - https://twitter.com/SBousseaden/status/1541920424635912196
     - https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml
     - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
-author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)
+author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems)
 date: 2022/06/29
 tags:
     - attack.credential_access