Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create file_event_win_create_hidden_directory_via_index_allocation.yml #4399

Merged
merged 8 commits into from
Oct 11, 2023
Merged

Create file_event_win_create_hidden_directory_via_index_allocation.yml #4399

merged 8 commits into from
Oct 11, 2023

Conversation

Scoubi
Copy link
Contributor

@Scoubi Scoubi commented Aug 26, 2023
edited by nasbench
Loading

Detection for https://twitter.com/pfiatde/status/1681977680688738305

Summary of the Pull Request

This PR adds detections related to abuse of "::$index_allocation" stream to hide folders and files from tooling such as explorer.exe

Changelog

new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI

Example Log Event

N/A

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

Scoubi
Scoubi commented Aug 27, 2023
View reviewed changes
Copy link
Contributor Author

@Scoubi Scoubi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed false positive & title

@nasbench nasbench self-requested a review August 28, 2023 21:56
@nasbench nasbench self-assigned this Aug 28, 2023
@nasbench nasbench added Rules Work In Progress Some changes are needed Windows Pull request add/update windows related rules labels Aug 28, 2023
@nasbench
Copy link
Member

nasbench commented Sep 7, 2023

Yo @Scoubi after some testing it seems that Sysmon doesn't capture the ADS creation ::$index_allocation

Here is an example event

<EventData>
  <Data Name="RuleName">-</Data> 
  <Data Name="UtcTime">2023-09-07 12:57:59.726</Data> 
  <Data Name="ProcessGuid">{351a8fc0-c031-64f9-2989-000000001800}</Data> 
  <Data Name="ProcessId">41900</Data> 
  <Data Name="Image">C:\Windows\System32\cmd.exe</Data> 
  <Data Name="TargetFilename">C:\Users\xxxx\AppData\Local\Temp\indexalloc\...$.......</Data> 
  <Data Name="CreationUtcTime">2023-09-07 12:57:59.726</Data> 
  <Data Name="User">xxxx</Data> 
 </EventData>

I tried with the ETW provider Microsoft-Windows-Kernel-File and both EID 30 (CREATENEWFILE) and EID 10 (NAMECREATE) do not capture it as well. Here are some example

  • EID 30
{'EventHeader': {'Size': 268, 'HeaderType': 0, 'Flags': 576, 'EventProperty': 0, 'ThreadId': 36872, 'ProcessId': 41900, 'TimeStamp': 133385650797270835, 'ProviderId': '{EDD08927-9CC4-4E65-B970-C2560FB5C289}', 'EventDescriptor': {'Id': 30, 'Version': 1, 'Channel': 16, 'Level': 4, 'Opcode': 0, 'Task': 30, 'Keyword': 9223372036854779904}, 'KernelTime': 11, 'UserTime': 1, 'ActivityId': '{00000000-0000-0000-0000-000000000000}'}, 'Task Name': 'CREATENEWFILE', 'Irp': '0xFFFFBD0BF291C0F8', 'FileObject': '0xFFFFBD0BE7C44630', 'IssuingThreadId': '36872', 'CreateOptions': '0x2200021', 'CreateAttributes': '0x80', 'ShareAccess': '0x3', 'FileName': '\\Device\\HarddiskVolume3\\Users\\xxx\\AppData\\Local\\Temp\\indexalloc\\...$.......', 'Description': ''}
  • EID 10
{'EventHeader': {'Size': 244, 'HeaderType': 0, 'Flags': 576, 'EventProperty': 0, 'ThreadId': 36872, 'ProcessId': 41900, 'TimeStamp': 133385650797270906, 'ProviderId': '{EDD08927-9CC4-4E65-B970-C2560FB5C289}', 'EventDescriptor': {'Id': 10, 'Version': 0, 'Channel': 16, 'Level': 4, 'Opcode': 0, 'Task': 10, 'Keyword': 9223372036854775824}, 'KernelTime': 11, 'UserTime': 1, 'ActivityId': '{00000000-0000-0000-0000-000000000000}'}, 'Task Name': 'NAMECREATE', 'FileKey': '0xFFFF8681FABF0170', 'FileName': '\\Device\\HarddiskVolume3\\Users\\xxx\\AppData\\Local\\Temp\\indexalloc\\...$.......', 'Description': ''}

Did you get anything from your side?

@nasbench nasbench marked this pull request as draft September 7, 2023 13:48
@nasbench
Copy link
Member

nasbench commented Oct 8, 2023

As discussed with scoubi on this. The ::$index_allocation portion of the command md %temp%\...$.......::$index_allocation isn't caught by Sysmon or ETW.

CrowdStrike for example is able to catch this using its CommandHistory field which hooks into CMD console. See 1 and 2 for general information.

Since some EDRs are able to catch this. We'll add this rule for coverage as the technique is interesting.

@nasbench nasbench marked this pull request as ready for review October 8, 2023 23:58
@nasbench nasbench added 2nd Review Needed PR need a second approval and removed Work In Progress Some changes are needed labels Oct 8, 2023
@nasbench nasbench removed the 2nd Review Needed PR need a second approval label Oct 11, 2023
@nasbench nasbench merged commit 34cea54 into SigmaHQ:master Oct 11, 2023
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phantinuss phantinuss phantinuss approved these changes

@nasbench nasbench nasbench approved these changes

@frack113 frack113 Awaiting requested review from frack113

Assignees

@nasbench nasbench

Labels
Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Scoubi @nasbench @frack113 @phantinuss