diff --git a/rules/credential_access_potential_sam_hive_dumping.yml b/rules/credential_access_potential_sam_hive_dumping.yml index 2a8cd92f9..d4653288a 100644 --- a/rules/credential_access_potential_sam_hive_dumping.yml +++ b/rules/credential_access_potential_sam_hive_dumping.yml @@ -19,15 +19,12 @@ references: condition: > sequence maxspan 10m - |spawn_process - and - not - (ps.exe imatches - ( - '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe' - ) - or + |spawn_process and not (ps.exe imatches + ( + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe' + ) + or (ps.exe imatches 'C:\\Windows\\System32\\svchost.exe' and ps.args iin ('-k', 'DcomLaunch')) ) | by ps.child.uuid diff --git a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml index 782ad153c..3c1f987ba 100644 --- a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml +++ b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml @@ -1,6 +1,6 @@ name: .NET assembly loaded by unmanaged process id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a -version: 1.0.0 +version: 1.0.1 description: | Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method. @@ -27,6 +27,12 @@ condition: > '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll', '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll' ) + and + not + ps.exe imatches + ( + '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe' + ) output: > .NET assembly %image.name loaded by unmanaged process %ps.exe diff --git a/rules/defense_evasion_hidden_registry_key_creation.yml b/rules/defense_evasion_hidden_registry_key_creation.yml index 3910dc50f..e596743b6 100644 --- a/rules/defense_evasion_hidden_registry_key_creation.yml +++ b/rules/defense_evasion_hidden_registry_key_creation.yml @@ -1,6 +1,6 @@ name: Hidden registry key creation id: 65deda38-9b1d-42a0-9f40-a68903e81b49 -version: 1.0.0 +version: 1.0.1 description: | Identifies the creation of a hidden registry key. Adversaries can utilize the native NtSetValueKey API to create a hidden registry key and conceal payloads @@ -19,6 +19,14 @@ condition: > set_value and kevt.pid != 4 and registry.key.name endswith '\\' and thread.callstack.symbols not imatches ('KernelBase.dll!RegSetValue*', 'KernelBase.dll!RegLoadAppKey*', 'KernelBase.dll!GetFileAttributes*') + and + not + ps.exe imatches + ( + '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe', + '?:\\Program Files\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe', + '?:\\Windows\\System32\\sppsvc.exe' + ) output: > Hidden registry key %registry.key.name created by process %ps.exe diff --git a/rules/defense_evasion_potential_process_hollowing_injection.yml b/rules/defense_evasion_potential_process_hollowing_injection.yml index 63afea4db..f2b2fe5c7 100644 --- a/rules/defense_evasion_potential_process_hollowing_injection.yml +++ b/rules/defense_evasion_potential_process_hollowing_injection.yml @@ -1,6 +1,6 @@ name: Potential Process Hollowing id: 2a3fbae8-5e8c-4b71-b9da-56c3958c0d53 -version: 1.1.0 +version: 1.1.1 description: | Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code @@ -29,7 +29,12 @@ references: condition: > sequence maxspan 2m - |spawn_process| by ps.child.uuid + |spawn_process and not ps.sid in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and not ps.exe imatches + ( + '?:\\Program Files\\*', + '?:\\Program Files (x86)\\*' + ) + | by ps.child.uuid |unmap_view_of_section and file.view.size > 20000 and file.view.protection != 'READONLY' and (length(file.name) = 0 or not ext(file.name) = '.dll')| by ps.uuid |load_executable| by ps.uuid action: diff --git a/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml b/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml index 0017237e3..10ec904bd 100644 --- a/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml +++ b/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml @@ -23,10 +23,7 @@ condition: > sequence maxspan 1m |map_view_of_section and file.view.protection = 'READWRITE' and kevt.pid != 4 and file.view.size >= 4096| as e1 - |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and file.key = $e1.file.key and kevt.pid != $e1.kevt.pid - and - not - ps.exe imatches + |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and file.key = $e1.file.key and kevt.pid != $e1.kevt.pid and not ps.exe imatches ( '?:\\Program Files\\Mozilla Firefox\\firefox.exe', '?:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe' diff --git a/rules/defense_evasion_potential_thread_execution_hijacking.yml b/rules/defense_evasion_potential_thread_execution_hijacking.yml index 6f8170036..aac207c3a 100644 --- a/rules/defense_evasion_potential_thread_execution_hijacking.yml +++ b/rules/defense_evasion_potential_thread_execution_hijacking.yml @@ -30,10 +30,7 @@ condition: > sequence maxspan 2m by ps.uuid - |open_remote_thread and thread.access.mask.names in ('ALL_ACCESS', 'SUSPEND_THREAD') - and - not - ps.exe imatches + |open_remote_thread and thread.access.mask.names in ('ALL_ACCESS', 'SUSPEND_THREAD') and not ps.exe imatches ( '?:\\Program Files\\*', '?:\\Program Files (x86)\\*' diff --git a/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml b/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml index 2d58861ca..db5aeeade 100644 --- a/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml +++ b/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml @@ -1,6 +1,6 @@ name: Thread context set from unbacked memory id: f8219274-ee68-416b-8489-4d2e635c7844 -version: 1.0.0 +version: 1.0.1 description: | Identifies manipulation of the thread context from unbacked memory region. This may be indicative of process injection. @@ -14,5 +14,13 @@ labels: condition: > set_thread_context and thread.callstack.summary imatches ('ntdll.dll|kernelbase.dll|unbacked') + and + not + ps.exe imatches + ( + '?:\\Program Files\\Git\\mingw64\\bin\\git.exe', + '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe', + '?:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe' + ) min-engine-version: 2.2.0 diff --git a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml index 5e3087ed3..5ce56205e 100644 --- a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml +++ b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml @@ -22,15 +22,12 @@ references: condition: > sequence maxspan 1m - |create_remote_thread - and - not - (ps.exe imatches - ( - '?:\\Program Files\\*', - '?:\\Program Files (x86)\\*' - ) - or + |create_remote_thread and not (ps.exe imatches + ( + '?:\\Program Files\\*', + '?:\\Program Files (x86)\\*' + ) + or (ps.exe imatches 'C:\\Windows\\System32\\svchost.exe' and ps.args iin ('-k', 'DcomLaunch')) ) | by thread.pid diff --git a/rules/initial_access_macro_execution_via_script_interpreter.yml b/rules/initial_access_macro_execution_via_script_interpreter.yml index d737b7924..6f57d99a8 100644 --- a/rules/initial_access_macro_execution_via_script_interpreter.yml +++ b/rules/initial_access_macro_execution_via_script_interpreter.yml @@ -31,15 +31,8 @@ condition: > (create_file) or ( - load_module - and - not - image.name imatches - ( - '?:\\Program Files\\*', - '?:\\Program Files (x86)\\*' - ) - ) + load_module and not image.name imatches ('?:\\Program Files\\*', '?:\\Program Files (x86)\\*') + ) ) | by ps.uuid