diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml b/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml similarity index 51% rename from rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml rename to rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml index 2a06a1d553d..97656a815a3 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -6,10 +6,11 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022/02/19 -modified: 2023/04/21 +modified: 2024/01/22 tags: - attack.defense_evasion - attack.t1562.004 + - detection.threat_hunting logsource: product: windows service: firewall-as @@ -18,9 +19,20 @@ detection: EventID: - 2005 # A rule has been modified in the Windows Defender Firewall exception list (Windows 10) - 2073 # A rule has been modified in the Windows Defender Firewall exception list. (Windows 11) - filter_main_generic: - ModifyingApplication|startswith: - - 'C:\Program Files (x86)\' - - 'C:\Program Files\' - condition: selection and not 1 of filter_main_* + filter_optional_teams: + ApplicationPath|endswith: '\AppData\local\microsoft\teams\current\teams.exe' + filter_optional_keybase: + ApplicationPath|endswith: '\AppData\Local\Keybase\keybase.exe' + filter_optional_messenger: + ApplicationPath|endswith: '\AppData\Local\Programs\Messenger\Messenger.exe' + filter_optional_opera: + ApplicationPath|contains|all: + - ':\Users\' + - '\AppData\Local\Programs\Opera\' + - '\opera.exe' + filter_optional_brave: + ApplicationPath|contains|all: + - ':\Users\' + - '\AppData\Local\BraveSoftware\Brave-Browser\Application\brave.exe' + condition: selection level: low diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml similarity index 91% rename from rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml rename to rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml index 66e2f29f075..60bc3502b8d 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml +++ b/rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml @@ -6,10 +6,11 @@ references: - https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html author: Roberto Rodriguez @Cyb3rWard0g date: 2019/08/11 -modified: 2021/11/27 +modified: 2024/01/22 tags: - attack.defense_evasion - attack.t1055.001 + - detection.threat_hunting logsource: product: windows category: create_remote_thread @@ -20,4 +21,4 @@ detection: condition: selection falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index 41af7402cab..86775c18f0a 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -1,4 +1,4 @@ -title: New Firewall Rule Added In Windows Firewall Exception List +title: Uncommon New Firewall Rule Added In Windows Firewall Exception List id: cde0a575-7d3d-4a49-9817-b8004a7bf105 status: experimental description: Detects when a rule has been added to the Windows Firewall exception list @@ -20,19 +20,25 @@ detection: - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11) filter_main_block: Action: 2 - filter_main_installations: - - ApplicationPath|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - - ModifyingApplication|startswith: 'C:\Windows\WinSxS\' # TiWorker.exe - - ModifyingApplication: - - 'C:\Windows\System32\oobe\Setup.exe' - - 'C:\Windows\SysWOW64\msiexec.exe' - - 'C:\Windows\System32\svchost.exe' - - 'C:\Windows\System32\dllhost.exe' - - 'C:\Program Files\Windows Defender\MsMpEng.exe' + filter_main_generic: + ApplicationPath|contains: + - ':\Program Files (x86)\' + - ':\Program Files\' + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' + - ':\Windows\WinSxS\' filter_optional_msmpeng: - ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' - ModifyingApplication|endswith: '\MsMpEng.exe' + ModifyingApplication|contains|all: + - ':\ProgramData\Microsoft\Windows Defender\Platform\' + - '\MsMpEng.exe' + filter_main_covered_paths: + # This filter is added to avoid duplicate alerting from 9e2575e7-2cb9-4da1-adc8-ed94221dca5e + ApplicationPath|contains: + - ':\PerfLogs\' + - ':\Temp\' + - ':\Users\Public\' + - ':\Windows\Tasks\' + - ':\Windows\Temp\' + - '\AppData\Local\Temp\' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* level: medium diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml index 7a0906ce8c9..2c2fef840df 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml @@ -1,16 +1,16 @@ -title: New Firewall Exception Rule Added For A Suspicious Folder +title: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e related: - id: cde0a575-7d3d-4a49-9817-b8004a7bf105 type: derived status: experimental -description: Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder +description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location. references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/# author: frack113 date: 2023/02/26 -modified: 2024/01/17 +modified: 2024/01/22 tags: - attack.defense_evasion - attack.t1562.004 @@ -23,25 +23,15 @@ detection: - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10) - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11) ApplicationPath|contains: - - '\AppData\' - - '\Temp\' + - ':\PerfLogs\' + - ':\Temp\' + - ':\Users\Public\' + - ':\Windows\Tasks\' + - ':\Windows\Temp\' + - '\AppData\Local\Temp\' filter_main_block: Action: 2 - filter_optional_teams: - ApplicationPath|endswith: '\AppData\local\microsoft\teams\current\teams.exe' - filter_optional_keybase: - ApplicationPath|endswith: '\AppData\Local\Keybase\keybase.exe' - filter_optional_messenger: - ApplicationPath|endswith: '\AppData\Local\Programs\Messenger\Messenger.exe' - filter_optional_opera: - ApplicationPath|contains|all: - - ':\Users\' - - '\AppData\Local\Programs\Opera\' - ApplicationPath|endswith: '\opera.exe' - filter_optional_brave: - ApplicationPath|contains: ':\Users\' - ApplicationPath|endswith: '\AppData\Local\BraveSoftware\Brave-Browser\Application\brave.exe' - condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* + condition: selection and not 1 of filter_main_* falsepositives: - - Any legitimate application that runs from the AppData user directory + - Unknown level: high diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml index df4255c1faa..3b3076445d4 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/01/17 -modified: 2023/04/21 +modified: 2024/01/22 tags: - attack.defense_evasion - attack.t1562.004 @@ -18,14 +18,11 @@ detection: EventID: - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11) - filter_main_generic: - ModifyingApplication|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' filter_main_svchost: - ModifyingApplication: 'C:\Windows\System32\svchost.exe' + ModifyingApplication|endswith: ':\Windows\System32\svchost.exe' filter_optional_msmpeng: - ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' - ModifyingApplication|endswith: '\MsMpEng.exe' + ModifyingApplication|contains|all: + - ':\ProgramData\Microsoft\Windows Defender\Platform\' + - '\MsMpEng.exe' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* level: high diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml b/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml index 542b9183af7..fce977a4f4f 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml @@ -8,6 +8,7 @@ references: - https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/07/28 +modified: 2024/01/22 tags: - attack.credential_access logsource: @@ -17,12 +18,12 @@ detection: selection: TargetImage|endswith: '\mstsc.exe' SourceImage|contains: + - ':\Temp\' - ':\Users\Public\' - ':\Windows\PerfLogs\' - ':\Windows\Tasks\' - - ':\Temp\' - ':\Windows\Temp\' - - ':\AppData\Local\Temp\' + - '\AppData\Local\Temp\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml index 011535aa405..1ebba8e8c49 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml @@ -1,10 +1,10 @@ -title: Remote Thread Creation Via PowerShell In Potentially Suspicious Target +title: Remote Thread Creation Via PowerShell In Uncommon Target id: 99b97608-3e21-4bfe-8217-2a127c396a0e related: - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 type: similar status: experimental -description: Detects the creation of a remote thread from a Powershell process in a potentially suspicious target process +description: Detects the creation of a remote thread from a Powershell process in an uncommon target process references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html author: Florian Roth (Nextron Systems) @@ -24,7 +24,7 @@ detection: - '\powershell.exe' - '\pwsh.exe' TargetImage|endswith: - # Note: Please add additonal potential interesting targets to increase coverage + # Note: Please add additional potential interesting targets to increase coverage - '\rundll32.exe' - '\regsvr32.exe' condition: selection diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml similarity index 69% rename from rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml index 6acfcd87c6e..6a1cf6d94fb 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml @@ -2,8 +2,8 @@ title: Password Dumper Remote Thread in LSASS id: f239b326-2f41-4d6b-9dfa-c846a60ef505 status: stable description: | - Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. - The process in field Process is the malicious program. A single execution can lead to hundreds of events. + Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. + The process in field Process is the malicious program. A single execution can lead to hundreds of events. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm author: Thomas Patzke diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml new file mode 100644 index 00000000000..98033846ff0 --- /dev/null +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml @@ -0,0 +1,67 @@ +title: Rare Remote Thread Creation By Uncommon Source Image +id: 02d1d718-dd13-41af-989d-ea85c7fab93f +related: + - id: 66d31e5f-52d6-40a4-9615-002d3789a119 + type: derived +status: experimental +description: Detects uncommon processes creating remote threads. +references: + - Personal research, statistical analysis + - https://lolbas-project.github.io +author: Perez Diego (@darkquassar), oscd.community +date: 2019/10/27 +modified: 2024/01/17 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1055 +logsource: + product: windows + category: create_remote_thread +detection: + selection: + SourceImage|endswith: + - '\bash.exe' + - '\cscript.exe' + - '\cvtres.exe' + - '\defrag.exe' + - '\dnx.exe' + - '\esentutl.exe' + - '\excel.exe' + - '\expand.exe' + - '\find.exe' + - '\findstr.exe' + - '\forfiles.exe' + - '\gpupdate.exe' + - '\hh.exe' + - '\installutil.exe' + - '\lync.exe' + - '\makecab.exe' + - '\mDNSResponder.exe' + - '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. + - '\msbuild.exe' + - '\mshta.exe' + - '\mspaint.exe' + - '\outlook.exe' + - '\ping.exe' + - '\provtool.exe' + - '\python.exe' + - '\regsvr32.exe' + - '\robocopy.exe' + - '\runonce.exe' + - '\sapcimc.exe' + - '\smartscreen.exe' + - '\spoolsv.exe' + - '\tstheme.exe' + - '\userinit.exe' + - '\vssadmin.exe' + - '\vssvc.exe' + - '\w3wp.exe' + - '\winscp.exe' + - '\winword.exe' + - '\wmic.exe' + - '\wscript.exe' + condition: selection +falsepositives: + - This rule is best put in testing first in order to crate a baseline that reflect the data in your environment. +level: high diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml similarity index 64% rename from rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml index 1c1e363f946..d2c8e143e1a 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml @@ -1,7 +1,10 @@ title: Remote Thread Creation By Uncommon Source Image id: 66d31e5f-52d6-40a4-9615-002d3789a119 +related: + - id: 02d1d718-dd13-41af-989d-ea85c7fab93f + type: derived status: experimental -description: Detects uncommon processes creating remote threads +description: Detects uncommon processes creating remote threads. references: - Personal research, statistical analysis - https://lolbas-project.github.io @@ -18,54 +21,12 @@ logsource: detection: selection: SourceImage|endswith: - - '\bash.exe' - - '\cscript.exe' - - '\cvtres.exe' - - '\defrag.exe' - - '\dnx.exe' - - '\esentutl.exe' - - '\excel.exe' - - '\expand.exe' - '\explorer.exe' - - '\find.exe' - - '\findstr.exe' - - '\forfiles.exe' - # - '\git.exe' - - '\gpupdate.exe' - - '\hh.exe' - '\iexplore.exe' - - '\installutil.exe' - - '\lync.exe' - - '\makecab.exe' - - '\mDNSResponder.exe' - - '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. - - '\msbuild.exe' - - '\mshta.exe' - '\msiexec.exe' - - '\mspaint.exe' - - '\outlook.exe' - - '\ping.exe' - '\powerpnt.exe' - - '\provtool.exe' - - '\python.exe' - - '\regsvr32.exe' - - '\robocopy.exe' - - '\runonce.exe' - - '\sapcimc.exe' - '\schtasks.exe' - - '\smartscreen.exe' - - '\spoolsv.exe' - # - '\taskhost.exe' # disabled due to false positives - - '\tstheme.exe' - - '\userinit.exe' - - '\vssadmin.exe' - - '\vssvc.exe' - - '\w3wp.exe' - '\winlogon.exe' - - '\winscp.exe' - - '\winword.exe' - - '\wmic.exe' - - '\wscript.exe' filter_main_winlogon_1: SourceImage|endswith: ':\Windows\System32\winlogon.exe' TargetImage|endswith: @@ -74,7 +35,7 @@ detection: - ':\Windows\System32\csrss.exe' # multiple OS - ':\Windows\System32\LogonUI.exe' # multiple OS filter_main_winlogon_2: - SourceImage: 'C:\Windows\System32\winlogon.exe' + SourceImage|contains: ':\Windows\System32\winlogon.exe' TargetParentProcessId: 4 filter_main_schtasks_conhost: SourceImage|endswith: @@ -97,14 +58,14 @@ detection: - '\AppData\Local\' - ':\Program Files (x86)\' - ':\Program Files\' - filter_optional_smartconsole1: + filter_optional_aurora_smartconsole1: SourceImage|contains: ':\Program Files\internet explorer\iexplore.exe' SourceCommandLine|contains|all: - 'https://' - '.checkpoint.com/documents/' - 'SmartConsole_OLH/' - 'default.htm#cshid=' - filter_optional_smartconsole2: + filter_optional_aurora_smartconsole2: SourceImage|contains: ':\Program Files\internet explorer\iexplore.exe' SourceParentImage|contains|all: - ':\Program Files' # x86 and not @@ -117,5 +78,5 @@ detection: TargetImage|endswith: ':\Windows\System32\csrss.exe' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - - Unknown -level: high + - This rule is best put in testing first in order to crate a baseline that reflect the data in your environment. +level: medium diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml similarity index 75% rename from rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml index d240d2edefe..9dc7fdb68a7 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml @@ -9,7 +9,7 @@ references: - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection author: Florian Roth (Nextron Systems) date: 2022/03/16 -modified: 2023/10/19 +modified: 2024/01/22 tags: - attack.defense_evasion - attack.privilege_escalation @@ -22,7 +22,6 @@ detection: TargetImage|endswith: - '\calc.exe' - '\calculator.exe' - - '\explorer.exe' - '\mspaint.exe' - '\notepad.exe' - '\ping.exe' @@ -40,19 +39,9 @@ detection: SourceImage|endswith: ':\Program Files\VMware\VMware Tools\vmtoolsd.exe' StartFunction: 'GetCommandLineW' TargetImage|endswith: - - ':\Windows\explorer.exe' - ':\Windows\System32\notepad.exe' - ':\Windows\System32\spoolsv.exe' - filter_main_rundll32: - SourceImage|endswith: ':\Windows\System32\rundll32.exe' - TargetImage|endswith: ':\Windows\explorer.exe' - StartFunction: - - 'LoadLibraryW' - - 'FreeLibrary' - filter_optional_winzip: - SourceImage|endswith: ':\Program Files\WinZip\FAHWindow64.exe' - TargetImage|endswith: ':\Windows\explorer.exe' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml index 42f8f429a7b..4615543180f 100644 --- a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml @@ -6,7 +6,9 @@ related: - id: fe6e002f-f244-4278-9263-20e4b593827f type: obsoletes status: experimental -description: Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's "load powershell" extension. +description: | + Detects loading of essential DLLs used by PowerShell by non powershell process. + Detects behavior similar to meterpreter's "load powershell" extension. references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll @@ -61,13 +63,13 @@ detection: filter_optional_citrix: Image|endswith: '\Citrix\ConfigSync\ConfigSyncRun.exe' filter_optional_vs: - Image|startswith: - - 'C:\Program Files (x86)\Microsoft Visual Studio\' - - 'C:\Program Files\Microsoft Visual Studio\' + Image|contains: + - ':\Program Files (x86)\Microsoft Visual Studio\' + - ':\Program Files\Microsoft Visual Studio\' filter_optional_chocolatey: Image|contains: ':\ProgramData\chocolatey\choco.exe' filter_optional_nextron: - Image|startswith: 'C:\Windows\Temp\asgard2-agent\' + Image|contains: ':\Windows\Temp\asgard2-agent\' Image|endswith: - '\thor64.exe' - '\thor.exe' diff --git a/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml index fbc4f2470e6..fa71c1d3278 100644 --- a/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml @@ -6,7 +6,7 @@ references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 author: Markus Neis date: 2019/05/15 -modified: 2024/01/18 +modified: 2024/01/22 tags: - attack.lateral_movement - attack.t1021.001 @@ -19,12 +19,12 @@ detection: DestinationPort: 3389 Initiated: 'true' filter_main_mstsc: - Image: - - 'C:\Windows\System32\mstsc.exe' - - 'C:\Windows\SysWOW64\mstsc.exe' + Image|endswith: + - ':\Windows\System32\mstsc.exe' + - ':\Windows\SysWOW64\mstsc.exe' filter_optional_dns: # https://github.com/SigmaHQ/sigma/pull/2249 - Image: 'C:\Windows\System32\dns.exe' + Image|endswith: ':\Windows\System32\dns.exe' SourcePort: 53 Protocol: 'udp' filter_optional_avast: @@ -34,7 +34,7 @@ detection: filter_optional_sysinternals_rdcman: Image|endswith: '\RDCMan.exe' filter_optional_chrome: - Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe' + Image|endswith: ':\Program Files\Google\Chrome\Application\chrome.exe' filter_optional_third_party: - '\FSAssessment.exe' - '\FSDiscovery.exe' diff --git a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml index 0ae2e188924..3ef60efa8c2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml @@ -4,9 +4,9 @@ status: test description: Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64" references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll -author: frack113, Nasreddine Bencherchali +author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2021/12/27 -modified: 2024/01/17 +modified: 2024/01/22 tags: - attack.credential_access - attack.t1556.002 @@ -16,7 +16,7 @@ logsource: definition: 'Requirements: Script Block Logging must be enabled' detection: selection: - ScriptBlockText|re: 'Copy-Item .{2,128} -Destination .{1,32}\\Windows\\(System32|SysWOW64)' + ScriptBlockText|re: '(Copy-Item|cpi) .{2,128} -Destination .{1,32}\\Windows\\(System32|SysWOW64)' condition: selection falsepositives: - Unknown