From 7c830458e703bd238d0bb4368d96fe58318c4388 Mon Sep 17 00:00:00 2001 From: Daniel Koifman Date: Fri, 27 Dec 2024 17:29:04 +0200 Subject: [PATCH 1/2] Merge PR #5138 from @DanielKoifman - Update `Suspicious Windows Service Tampering` update: Suspicious Windows Service Tampering - Add additional services --- .../proc_creation_win_susp_service_tamper.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index d363c1c4fb9..8d153142bb5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -18,10 +18,11 @@ references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior date: 2022-09-01 -modified: 2024-10-21 +modified: 2024-12-23 tags: - attack.defense-evasion - attack.t1489 + - attack.t1562.001 logsource: category: process_creation product: windows @@ -148,6 +149,7 @@ detection: - 'mfewc' - 'MMS' - 'mozyprobackup' + - 'mpssvc' - 'MSComplianceAudit' - 'MSDTC' - 'MsDtsServer' @@ -235,6 +237,7 @@ detection: - 'swi_service' - 'swi_update' - 'Symantec' + - 'sysmon' - 'TeamViewer' - 'Telemetryserver' - 'ThreatLockerService' @@ -277,6 +280,7 @@ detection: - 'WRSVC' - 'wsbexchange' - 'WSearch' + - 'wscsvc' - 'Zoolz 2 Service' condition: all of selection_* falsepositives: From 1df3c343910bb708908efc6ce2784e1193819c58 Mon Sep 17 00:00:00 2001 From: Djordje Lukic <112394060+djlukic@users.noreply.github.com> Date: Fri, 27 Dec 2024 16:38:02 +0100 Subject: [PATCH 2/2] Merge PR #5144 from @djlukic - Fix multiple FPs fix: Relevant Anti-Virus Signature Keywords In Application Log - Enhances the `HTool` string to avoid unintended matches. fix: Uncommon AppX Package Locations - Add `https://installer.teams.static.microsoft/` fix: BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Add `dn.onenote.net/` and `cdn.office.net/` fix: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Add filter for `Kaspersky` and `mDNS Responder` --- .../application/Other/win_av_relevant_match.yml | 6 ++++-- ...deployment_server_uncommon_package_locations.yml | 3 ++- ...in_bits_client_new_transfer_via_uncommon_tld.yml | 4 +++- .../win_codeintegrity_attempted_dll_load.yml | 13 ++++++++++++- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/application/Other/win_av_relevant_match.yml b/rules/windows/builtin/application/Other/win_av_relevant_match.yml index 6fe2530d1b1..62bbccddefa 100644 --- a/rules/windows/builtin/application/Other/win_av_relevant_match.yml +++ b/rules/windows/builtin/application/Other/win_av_relevant_match.yml @@ -10,7 +10,7 @@ references: - https://www.nextron-systems.com/?s=antivirus author: Florian Roth (Nextron Systems), Arnim Rupp date: 2017-02-19 -modified: 2024-08-29 +modified: 2024-12-25 tags: - attack.resource-development - attack.t1588 @@ -43,7 +43,9 @@ detection: - 'GrandCrab ' - 'HackTool' - 'HKTL' - - 'HTool' + - 'HTool-' + - '/HTool' + - '.HTool' - 'IISExchgSpawnCMD' - 'Impacket' - 'JSP/BackDoor ' diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index 4932cd36fa6..f99cf13f302 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -9,7 +9,7 @@ references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 -modified: 2024-08-29 +modified: 2024-12-25 tags: - attack.defense-evasion logsource: @@ -33,6 +33,7 @@ detection: - 'https://statics.teams.cdn.live.net/' - 'https://statics.teams.cdn.office.net/' - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968 + - 'https://installer.teams.static.microsoft/' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml index 5f5fc4dce4f..1bed4b7f0de 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/malmoeb/status/1535142803075960832 author: Florian Roth (Nextron Systems) date: 2022-06-10 -modified: 2023-03-27 +modified: 2024-12-25 tags: - attack.defense-evasion - attack.persistence @@ -24,6 +24,8 @@ detection: - '.com/' - '.sfx.ms/' - 'download.mozilla.org/' # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&os=win64&lang=en-US + - 'cdn.onenote.net/' + - 'cdn.office.net/' condition: selection and not 1 of filter_main_* falsepositives: - This rule doesn't exclude other known TLDs such as ".org" or ".net". It's recommended to apply additional filters for software and scripts that leverage the BITS service diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index f9fac468880..f3c8172ecc8 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -11,7 +11,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022-01-20 -modified: 2024-10-08 +modified: 2024-12-25 tags: - attack.execution logsource: @@ -104,6 +104,17 @@ detection: - FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent' # Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe - ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent' + filter_optional_national_instruments: + # Example: \device\harddiskvolume3\program files\national instruments\shared\mdns responder\nimdnsnsp.dll + FileNameBuffer|contains: '\National Instruments\Shared\mDNS Responder\' + filter_optional_kaspersky: + # Example: \Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\x64\antimalware_provider.dll + - ProcessNameBuffer|contains|all: + - '\Kaspersky Lab\' + - '\avp.exe' + - FileNameBuffer|contains|all: + - '\Kaspersky Lab\' + - '\antimalware_provider.dll' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.