chore: update more rules

rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml → rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml

@@ -6,10 +6,11 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 author: frack113
 date: 2022/02/19
-modified: 2023/04/21
+modified: 2024/01/22
 tags:
     - attack.defense_evasion
     - attack.t1562.004
+    - detection.threat_hunting
 logsource:
     product: windows
     service: firewall-as
@@ -18,9 +19,20 @@ detection:
         EventID:
             - 2005 # A rule has been modified in the Windows Defender Firewall exception list (Windows 10)
             - 2073 # A rule has been modified in the Windows Defender Firewall exception list. (Windows 11)
-    filter_main_generic:
-        ModifyingApplication|startswith:
-            - 'C:\Program Files (x86)\'
-            - 'C:\Program Files\'
-    condition: selection and not 1 of filter_main_*
+    filter_optional_teams:
+        ApplicationPath|endswith: '\AppData\local\microsoft\teams\current\teams.exe'
+    filter_optional_keybase:
+        ApplicationPath|endswith: '\AppData\Local\Keybase\keybase.exe'
+    filter_optional_messenger:
+        ApplicationPath|endswith: '\AppData\Local\Programs\Messenger\Messenger.exe'
+    filter_optional_opera:
+        ApplicationPath|contains|all:
+            - ':\Users\'
+            - '\AppData\Local\Programs\Opera\'
+            - '\opera.exe'
+    filter_optional_brave:
+        ApplicationPath|contains|all:
+            - ':\Users\'
+            - '\AppData\Local\BraveSoftware\Brave-Browser\Application\brave.exe'
+    condition: selection
 level: low

rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml → rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml

@@ -6,10 +6,11 @@ references:
     - https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019/08/11
-modified: 2021/11/27
+modified: 2024/01/22
 tags:
     - attack.defense_evasion
     - attack.t1055.001
+    - detection.threat_hunting
 logsource:
     product: windows
     category: create_remote_thread
@@ -20,4 +21,4 @@ detection:
     condition: selection
 falsepositives:
     - Unknown
-level: high
+level: medium

rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml

@@ -1,4 +1,4 @@
-title: New Firewall Rule Added In Windows Firewall Exception List
+title: Uncommon New Firewall Rule Added In Windows Firewall Exception List
 id: cde0a575-7d3d-4a49-9817-b8004a7bf105
 status: experimental
 description: Detects when a rule has been added to the Windows Firewall exception list
@@ -20,19 +20,25 @@ detection:
             - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
     filter_main_block:
         Action: 2
-    filter_main_installations:
-        - ApplicationPath|startswith:
-              - 'C:\Program Files\'
-              - 'C:\Program Files (x86)\'
-        - ModifyingApplication|startswith: 'C:\Windows\WinSxS\'  # TiWorker.exe
-        - ModifyingApplication:
-              - 'C:\Windows\System32\oobe\Setup.exe'
-              - 'C:\Windows\SysWOW64\msiexec.exe'
-              - 'C:\Windows\System32\svchost.exe'
-              - 'C:\Windows\System32\dllhost.exe'
-              - 'C:\Program Files\Windows Defender\MsMpEng.exe'
+    filter_main_generic:
+        ApplicationPath|contains:
+            - ':\Program Files (x86)\'
+            - ':\Program Files\'
+            - ':\Windows\System32\'
+            - ':\Windows\SysWOW64\'
+            - ':\Windows\WinSxS\'
     filter_optional_msmpeng:
-        ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
-        ModifyingApplication|endswith: '\MsMpEng.exe'
+        ModifyingApplication|contains|all:
+            - ':\ProgramData\Microsoft\Windows Defender\Platform\'
+            - '\MsMpEng.exe'
+    filter_main_covered_paths:
+        # This filter is added to avoid duplicate alerting from 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
+        ApplicationPath|contains:
+            - ':\PerfLogs\'
+            - ':\Temp\'
+            - ':\Users\Public\'
+            - ':\Windows\Tasks\'
+            - ':\Windows\Temp\'
+            - '\AppData\Local\Temp\'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 level: medium

rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml

@@ -1,16 +1,16 @@
-title: New Firewall Exception Rule Added For A Suspicious Folder
+title: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
 id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
 related:
     - id: cde0a575-7d3d-4a49-9817-b8004a7bf105
       type: derived
 status: experimental
-description: Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder
+description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
 references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
     - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
 author: frack113
 date: 2023/02/26
-modified: 2024/01/17
+modified: 2024/01/22
 tags:
     - attack.defense_evasion
     - attack.t1562.004
@@ -23,25 +23,15 @@ detection:
             - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
             - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
         ApplicationPath|contains:
-            - '\AppData\'
-            - '\Temp\'
+            - ':\PerfLogs\'
+            - ':\Temp\'
+            - ':\Users\Public\'
+            - ':\Windows\Tasks\'
+            - ':\Windows\Temp\'
+            - '\AppData\Local\Temp\'
     filter_main_block:
         Action: 2
-    filter_optional_teams:
-        ApplicationPath|endswith: '\AppData\local\microsoft\teams\current\teams.exe'
-    filter_optional_keybase:
-        ApplicationPath|endswith: '\AppData\Local\Keybase\keybase.exe'
-    filter_optional_messenger:
-        ApplicationPath|endswith: '\AppData\Local\Programs\Messenger\Messenger.exe'
-    filter_optional_opera:
-        ApplicationPath|contains|all:
-            - ':\Users\'
-            - '\AppData\Local\Programs\Opera\'
-        ApplicationPath|endswith: '\opera.exe'
-    filter_optional_brave:
-        ApplicationPath|contains: ':\Users\'
-        ApplicationPath|endswith: '\AppData\Local\BraveSoftware\Brave-Browser\Application\brave.exe'
-    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
+    condition: selection and not 1 of filter_main_*
 falsepositives:
-    - Any legitimate application that runs from the AppData user directory
+    - Unknown
 level: high

rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml

@@ -6,7 +6,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
 author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/17
-modified: 2023/04/21
+modified: 2024/01/22
 tags:
     - attack.defense_evasion
     - attack.t1562.004
@@ -18,14 +18,11 @@ detection:
         EventID:
             - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
             - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
-    filter_main_generic:
-        ModifyingApplication|startswith:
-            - 'C:\Program Files\'
-            - 'C:\Program Files (x86)\'
     filter_main_svchost:
-        ModifyingApplication: 'C:\Windows\System32\svchost.exe'
+        ModifyingApplication|endswith: ':\Windows\System32\svchost.exe'
     filter_optional_msmpeng:
-        ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
-        ModifyingApplication|endswith: '\MsMpEng.exe'
+        ModifyingApplication|contains|all:
+            - ':\ProgramData\Microsoft\Windows Defender\Platform\'
+            - '\MsMpEng.exe'
     condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 level: high

rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml

@@ -8,6 +8,7 @@ references:
     - https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/07/28
+modified: 2024/01/22
 tags:
     - attack.credential_access
 logsource:
@@ -17,12 +18,12 @@ detection:
     selection:
         TargetImage|endswith: '\mstsc.exe'
         SourceImage|contains:
+            - ':\Temp\'
             - ':\Users\Public\'
             - ':\Windows\PerfLogs\'
             - ':\Windows\Tasks\'
-            - ':\Temp\'
             - ':\Windows\Temp\'
-            - ':\AppData\Local\Temp\'
+            - '\AppData\Local\Temp\'
     condition: selection
 falsepositives:
     - Unknown

rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml

@@ -1,10 +1,10 @@
-title: Remote Thread Creation Via PowerShell In Potentially Suspicious Target
+title: Remote Thread Creation Via PowerShell In Uncommon Target
 id: 99b97608-3e21-4bfe-8217-2a127c396a0e
 related:
     - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
       type: similar
 status: experimental
-description: Detects the creation of a remote thread from a Powershell process in a potentially suspicious target process
+description: Detects the creation of a remote thread from a Powershell process in an uncommon target process
 references:
     - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
 author: Florian Roth (Nextron Systems)
@@ -24,7 +24,7 @@ detection:
             - '\powershell.exe'
             - '\pwsh.exe'
         TargetImage|endswith:
-            # Note: Please add additonal potential interesting targets to increase coverage
+            # Note: Please add additional potential interesting targets to increase coverage
             - '\rundll32.exe'
             - '\regsvr32.exe'
     condition: selection

rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml → rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml

@@ -2,8 +2,8 @@ title: Password Dumper Remote Thread in LSASS
 id: f239b326-2f41-4d6b-9dfa-c846a60ef505
 status: stable
 description: |
-  Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.
-  The process in field Process is the malicious program. A single execution can lead to hundreds of events.
+    Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.
+    The process in field Process is the malicious program. A single execution can lead to hundreds of events.
 references:
     - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
 author: Thomas Patzke

rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml

@@ -0,0 +1,67 @@
+title: Rare Remote Thread Creation By Uncommon Source Image
+id: 02d1d718-dd13-41af-989d-ea85c7fab93f
+related:
+    - id: 66d31e5f-52d6-40a4-9615-002d3789a119
+      type: derived
+status: experimental
+description: Detects uncommon processes creating remote threads.
+references:
+    - Personal research, statistical analysis
+    - https://lolbas-project.github.io
+author: Perez Diego (@darkquassar), oscd.community
+date: 2019/10/27
+modified: 2024/01/17
+tags:
+    - attack.privilege_escalation
+    - attack.defense_evasion
+    - attack.t1055
+logsource:
+    product: windows
+    category: create_remote_thread
+detection:
+    selection:
+        SourceImage|endswith:
+            - '\bash.exe'
+            - '\cscript.exe'
+            - '\cvtres.exe'
+            - '\defrag.exe'
+            - '\dnx.exe'
+            - '\esentutl.exe'
+            - '\excel.exe'
+            - '\expand.exe'
+            - '\find.exe'
+            - '\findstr.exe'
+            - '\forfiles.exe'
+            - '\gpupdate.exe'
+            - '\hh.exe'
+            - '\installutil.exe'
+            - '\lync.exe'
+            - '\makecab.exe'
+            - '\mDNSResponder.exe'
+            - '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
+            - '\msbuild.exe'
+            - '\mshta.exe'
+            - '\mspaint.exe'
+            - '\outlook.exe'
+            - '\ping.exe'
+            - '\provtool.exe'
+            - '\python.exe'
+            - '\regsvr32.exe'
+            - '\robocopy.exe'
+            - '\runonce.exe'
+            - '\sapcimc.exe'
+            - '\smartscreen.exe'
+            - '\spoolsv.exe'
+            - '\tstheme.exe'
+            - '\userinit.exe'
+            - '\vssadmin.exe'
+            - '\vssvc.exe'
+            - '\w3wp.exe'
+            - '\winscp.exe'
+            - '\winword.exe'
+            - '\wmic.exe'
+            - '\wscript.exe'
+    condition: selection
+falsepositives:
+    - This rule is best put in testing first in order to crate a baseline that reflect the data in your environment.
+level: high