-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Sigma Rule Update (2024-06-25 20:12:08) (#678)
Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>
- Loading branch information
1 parent
88e31cc
commit 62cffdd
Showing
37 changed files
with
642 additions
and
228 deletions.
There are no files selected for viewing
49 changes: 49 additions & 0 deletions
49
sigma/builtin/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
title: HackTool - Evil-WinRm Execution - PowerShell Module | ||
id: a0ecd6f3-309d-3ad0-2231-421f98a89f32 | ||
related: | ||
- id: 9fe55ea2-4cd6-4491-8a54-dd6871651b51 | ||
type: derived | ||
status: experimental | ||
description: | | ||
Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility. | ||
references: | ||
- https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb | ||
- https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code | ||
author: Nasreddine Bencherchali (Nextron Systems) | ||
date: 2024/02/25 | ||
tags: | ||
- attack.lateral_movement | ||
logsource: | ||
product: windows | ||
category: ps_module | ||
detection: | ||
ps_module: | ||
EventID: 4103 | ||
Channel: | ||
- Microsoft-Windows-PowerShell/Operational | ||
- PowerShellCore/Operational | ||
selection_wsm: | ||
ContextInfo|contains: | ||
- :\Windows\System32\wsmprovhost.exe | ||
- :\Windows\SysWOW64\wsmprovhost.exe | ||
selection_payload_1: | ||
Payload|contains: | ||
- value="(get-location).path # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L592 | ||
- value="(get-item*).length # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L490 | ||
- 'Invoke-Binary ' # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L740 | ||
- Donut-Loader -process_id*-donutfile # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L761 | ||
- Bypass-4MSI | ||
- IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($a))).replace('???','') | ||
selection_payload_2: | ||
Payload|contains|all: | ||
- $servicios = Get-ItemProperty "registry::HKLM\System\CurrentControlSet\Services\" | ||
- Where-Object {$_.imagepath -notmatch "system" -and $_.imagepath -ne $null } | Select-Object pschildname,imagepath | ||
selection_payload_3: | ||
Payload|contains|all: | ||
- $a += \"$($_.FullName.Replace('\\','/'))/\"}else{ $a += \"$($_.FullName.Replace('\\', '/'))\" } # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L1001 | ||
- $a=@();$ | ||
condition: ps_module and (selection_wsm and 1 of selection_payload_*) | ||
falsepositives: | ||
- Unknown | ||
level: high | ||
ruletype: Sigma |
39 changes: 39 additions & 0 deletions
39
sigma/builtin/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename | ||
id: 183b6ab0-741c-5a2c-a72d-660f201d5710 | ||
related: | ||
- id: 129966c9-de17-4334-a123-8b58172e664d | ||
type: derived | ||
status: test | ||
description: | | ||
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. | ||
Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage. | ||
references: | ||
- https://twitter.com/mrd0x/status/1460597833917251595 | ||
author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | ||
date: 2021/11/26 | ||
modified: 2024/06/21 | ||
tags: | ||
- attack.credential_access | ||
- attack.t1003.001 | ||
- sysmon | ||
logsource: | ||
product: windows | ||
category: process_creation | ||
detection: | ||
process_creation: | ||
EventID: 4688 | ||
Channel: Security | ||
selection_dump: | ||
NewProcessName|startswith: :\Program Files | ||
NewProcessName|contains: \Microsoft Visual Studio\ | ||
NewProcessName|endswith: \dump64.exe | ||
selection_tools_procdump: | ||
- OriginalFileName: procdump | ||
- CommandLine|contains: | ||
- ' -ma ' # Full Dump | ||
- ' -mp ' # Mini Plus | ||
condition: process_creation and (selection_dump and 1 of selection_tools_*) | ||
falsepositives: | ||
- Unknown | ||
level: high | ||
ruletype: Sigma |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
32 changes: 0 additions & 32 deletions
32
sigma/builtin/process_creation/proc_creation_win_explorer_lolbin_execution.yml
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
36 changes: 0 additions & 36 deletions
36
sigma/builtin/process_creation/proc_creation_win_lolbin_dump64.yml
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.