diff --git a/rules/credentail_access_file_access_to_sam_database.yml b/rules/credentail_access_file_access_to_sam_database.yml index af7d03164..c0bcfd395 100644 --- a/rules/credentail_access_file_access_to_sam_database.yml +++ b/rules/credentail_access_file_access_to_sam_database.yml @@ -1,6 +1,6 @@ name: File access to SAM database id: e3dace20-4962-4381-884e-40dcdde66626 -version: 1.0.4 +version: 1.0.5 description: | Identifies access to the Security Account Manager on-disk database. labels: @@ -15,21 +15,19 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1003/002/ condition: > - open_file - and + open_file and file.path imatches - ( - '?:\\WINDOWS\\SYSTEM32\\CONFIG\\SAM', - '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM', - '\\??\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM' - ) - and + ( + '?:\\WINDOWS\\SYSTEM32\\CONFIG\\SAM', + '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM', + '\\??\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM' + ) and ps.exe not imatches - ( - '?:\\Program Files\\*', - '?:\\Program Files (x86)\\*', - '?:\\Windows\\System32\\lsass.exe', - '?:\\Windows\\System32\\srtasks.exe' - ) + ( + '?:\\Program Files\\*', + '?:\\Program Files (x86)\\*', + '?:\\Windows\\System32\\lsass.exe', + '?:\\Windows\\System32\\srtasks.exe' + ) min-engine-version: 3.0.0 diff --git a/rules/credential_access_credential_access_from_backups_via_rundll32.yml b/rules/credential_access_credential_access_from_backups_via_rundll32.yml index 5ed966629..3e64b0293 100644 --- a/rules/credential_access_credential_access_from_backups_via_rundll32.yml +++ b/rules/credential_access_credential_access_from_backups_via_rundll32.yml @@ -1,6 +1,6 @@ name: Credentials access from backups via Rundll32 id: ff43852c-486c-4870-a318-ce976d2231a5 -version: 1.0.1 +version: 1.0.2 description: | Detects an attempt to obtain credentials from credential backups. labels: @@ -15,10 +15,8 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/ condition: > - spawn_process - and - (ps.child.name ~= 'rundll32.exe' or ps.child.pe.file.name ~= 'rundll32.exe') - and + spawn_process and + (ps.child.name ~= 'rundll32.exe' or ps.child.pe.file.name ~= 'rundll32.exe') and (ps.child.args iin ('keymgr.dll') and ps.child.args iin ('KRShowKeyMgr')) min-engine-version: 3.0.0 diff --git a/rules/credential_access_credential_discovery_via_vaultcmd.yml b/rules/credential_access_credential_discovery_via_vaultcmd.yml index bf9abb78a..03f4be7e2 100644 --- a/rules/credential_access_credential_discovery_via_vaultcmd.yml +++ b/rules/credential_access_credential_discovery_via_vaultcmd.yml @@ -1,6 +1,6 @@ name: Credential discovery via VaultCmd tool id: 2ce607d3-5a14-4628-be8a-22bcde97dab5 -version: 1.1.1 +version: 1.1.2 description: | Detects the usage of the VaultCmd tool to list Windows Credentials. VaultCmd creates, displays and deletes stored credentials. An adversary may abuse this to list or dump @@ -17,8 +17,8 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/ condition: > - spawn_process and (ps.child.name ~= 'VaultCmd.exe' or ps.child.pe.file.name ~= 'vaultcmd.exe') - and + spawn_process and + (ps.child.name ~= 'VaultCmd.exe' or ps.child.pe.file.name ~= 'vaultcmd.exe') and ps.child.cmdline imatches '*/list*' severity: medium diff --git a/rules/credential_access_lsass_handle_leak_via_seclogon.yml b/rules/credential_access_lsass_handle_leak_via_seclogon.yml index f66b7aa9f..a067afb1a 100644 --- a/rules/credential_access_lsass_handle_leak_via_seclogon.yml +++ b/rules/credential_access_lsass_handle_leak_via_seclogon.yml @@ -1,6 +1,6 @@ name: LSASS handle leak via Seclogon id: 5d55c938-875e-49e1-ae53-fa196d4445eb -version: 1.0.1 +version: 1.0.2 description: | Identifies suspicious access to LSASS process from a callstack pointing to seclogon.dll that may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in @@ -19,8 +19,8 @@ references: - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html condition: > - open_process and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and ps.name ~= 'svchost.exe' - and + open_process and + evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and ps.name ~= 'svchost.exe' and ps.access.mask.names in ('CREATE_PROCESS', 'DUP_HANDLE') and thread.callstack.modules imatches ('*seclogon.dll') severity: high diff --git a/rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml b/rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml index 26f88a1f0..3e27e8228 100644 --- a/rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml +++ b/rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml @@ -1,6 +1,6 @@ name: LSASS memory dump via MiniDumpWriteDump id: fd7ced77-4a95-4658-80f6-6b9d7b5e3777 -version: 1.0.1 +version: 1.0.2 description: | Identifies access to the Local Security Authority Subsystem Service (LSASS) process to dump the memory via MiniDumpWriteDump API. @@ -20,8 +20,8 @@ references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass condition: > - ((open_process) or (open_thread)) and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' - and + ((open_process) or (open_thread)) and + evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and (thread.callstack.modules imatches ('*dbgcore.dll', '*comsvcs.dll') or thread.callstack.symbols imatches ('*MiniDumpWriteDump')) action: - name: kill diff --git a/rules/credential_access_lsass_memory_dumping.yml b/rules/credential_access_lsass_memory_dumping.yml index eb724f20f..068ca8baa 100644 --- a/rules/credential_access_lsass_memory_dumping.yml +++ b/rules/credential_access_lsass_memory_dumping.yml @@ -1,6 +1,6 @@ name: LSASS memory dumping via legitimate or offensive tools id: 335795af-246b-483e-8657-09a30c102e63 -version: 1.0.3 +version: 1.0.4 description: | Detects an attempt to dump the LSAAS memory to the disk by employing legitimate tools such as procdump, Task Manager, Process Explorer or built-in Windows tools @@ -23,15 +23,14 @@ condition: > sequence maxspan 2m by ps.uuid - |open_process and ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE') - and - evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' - and + |open_process and + ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE') and + evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and ps.exe not imatches - ( - '?:\\Windows\\System32\\svchost.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe' - ) + ( + '?:\\Windows\\System32\\svchost.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe' + ) | |write_minidump_file| diff --git a/rules/credential_access_lsass_process_clone_creation_via_reflection.yml b/rules/credential_access_lsass_process_clone_creation_via_reflection.yml index 452489e32..65e7a0b92 100644 --- a/rules/credential_access_lsass_process_clone_creation_via_reflection.yml +++ b/rules/credential_access_lsass_process_clone_creation_via_reflection.yml @@ -1,6 +1,6 @@ name: LSASS process clone creation via reflection id: cdf3810a-4832-446a-ac9d-d108cf2e313c -version: 1.0.1 +version: 1.0.2 description: | Identifies the creation of an LSASS clone process via RtlCreateProcessReflection API function. Adversaries can use this technique to dump credentials material from the LSASS fork and evade @@ -20,8 +20,8 @@ references: - https://s3cur3th1ssh1t.github.io/Reflective-Dump-Tools/ condition: > - spawn_process and ps.name ~= 'lsass.exe' and ps.child.name ~= 'lsass.exe' - and + spawn_process and + ps.name ~= 'lsass.exe' and ps.child.name ~= 'lsass.exe' and thread.callstack.symbols imatches ('ntdll.dll!RtlCloneUserProcess', 'ntdll.dll!RtlCreateProcessReflection') action: - name: kill diff --git a/rules/credential_access_potential_sam_hive_dumping.yml b/rules/credential_access_potential_sam_hive_dumping.yml index d1a8dc93c..3a09d23c5 100644 --- a/rules/credential_access_potential_sam_hive_dumping.yml +++ b/rules/credential_access_potential_sam_hive_dumping.yml @@ -1,6 +1,6 @@ name: Potential SAM hive dumping id: 2f326557-0291-4eb1-a87a-7a17b7d941cb -version: 1.0.5 +version: 1.0.6 description: Identifies access to the Security Account Manager registry hives. labels: @@ -19,55 +19,52 @@ references: condition: > sequence maxspan 10m - |spawn_process and not (ps.exe imatches - ( - '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe', - '?:\\Windows\\System32\\svchost.exe' - ) - or + |spawn_process and + not (ps.exe imatches + ( + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe', + '?:\\Windows\\System32\\svchost.exe' + ) or (ps.child.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior') ) | by ps.child.uuid - |open_registry - and - registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*' - and + |open_registry and + registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*' and registry.path not imatches - ( - 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users', - 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names', - 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account', - 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Account\\Aliases\\*' - ) - and + ( + 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users', + 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names', + 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account', + 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Account\\Aliases\\*' + ) and ps.exe not imatches - ( - '?:\\Windows\\System32\\lsass.exe', - '?:\\Windows\\System32\\RuntimeBroker.exe', - '?:\\Windows\\explorer.exe', - '?:\\Windows\\System32\\Taskmgr.exe', - '?:\\Windows\\System32\\sihost.exe', - '?:\\Windows\\System32\\SearchIndexer.exe', - '?:\\Windows\\System32\\SearchProtocolHost.exe', - '?:\\Windows\\System32\\svchost.exe', - '?:\\Windows\\System32\\services.exe', - '?:\\Windows\\System32\\taskhostw.exe', - '?:\\Windows\\System32\\backgroundTaskHost.exe', - '?:\\Windows\\System32\\WerFault.exe', - '?:\\Windows\\System32\\ctfmon.exe', - '?:\\Windows\\System32\\Wbem\\WmiPrvSE.exe', - '?:\\Windows\\System32\\CompatTelRunner.exe', - '?:\\Windows\\System32\\cleanmgr.exe', - '?:\\Windows\\System32\\MoUsoCoreWorker.exe', - '?:\\Windows\\System32\\lpremove.exe', - '?:\\Windows\\System32\\LogonUI.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpDefenderCoreService.exe', - '?:\\Windows\\System32\\ApplicationFrameHost.exe', - '?:\\Windows\\System32\\wbem\\WMIADAP.exe', - '?:\\Windows\\System32\\cleanmgr.exe' - ) + ( + '?:\\Windows\\System32\\lsass.exe', + '?:\\Windows\\System32\\RuntimeBroker.exe', + '?:\\Windows\\explorer.exe', + '?:\\Windows\\System32\\Taskmgr.exe', + '?:\\Windows\\System32\\sihost.exe', + '?:\\Windows\\System32\\SearchIndexer.exe', + '?:\\Windows\\System32\\SearchProtocolHost.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\services.exe', + '?:\\Windows\\System32\\taskhostw.exe', + '?:\\Windows\\System32\\backgroundTaskHost.exe', + '?:\\Windows\\System32\\WerFault.exe', + '?:\\Windows\\System32\\ctfmon.exe', + '?:\\Windows\\System32\\Wbem\\WmiPrvSE.exe', + '?:\\Windows\\System32\\CompatTelRunner.exe', + '?:\\Windows\\System32\\cleanmgr.exe', + '?:\\Windows\\System32\\MoUsoCoreWorker.exe', + '?:\\Windows\\System32\\lpremove.exe', + '?:\\Windows\\System32\\LogonUI.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpDefenderCoreService.exe', + '?:\\Windows\\System32\\ApplicationFrameHost.exe', + '?:\\Windows\\System32\\wbem\\WMIADAP.exe', + '?:\\Windows\\System32\\cleanmgr.exe' + ) | by ps.uuid min-engine-version: 3.0.0 diff --git a/rules/credential_access_remote_thread_creation_into_lsass.yml b/rules/credential_access_remote_thread_creation_into_lsass.yml index 41e74f904..3555cd888 100644 --- a/rules/credential_access_remote_thread_creation_into_lsass.yml +++ b/rules/credential_access_remote_thread_creation_into_lsass.yml @@ -1,6 +1,6 @@ name: Remote thread creation into LSASS id: e3ce8d6f-c260-48d6-9398-3c1c71726297 -version: 1.0.2 +version: 1.0.3 description: | Identifies the creation of a remote thread in LSASS (Local Security And Authority Subsystem Service) by untrusted or suspicious processes. This may indicate attempts to execute code inside the LSASS process @@ -17,8 +17,8 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/ condition: > - create_remote_thread and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' - and + create_remote_thread and + evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and (ps.name iin script_interpreters or ps.name ~= 'rundll32.exe' or pe.is_signed = false or pe.is_trusted = false) min-engine-version: 3.0.0 diff --git a/rules/credential_access_suspicious_access_to_active_directory_domain_database.yml b/rules/credential_access_suspicious_access_to_active_directory_domain_database.yml index 0503e0825..13e466896 100644 --- a/rules/credential_access_suspicious_access_to_active_directory_domain_database.yml +++ b/rules/credential_access_suspicious_access_to_active_directory_domain_database.yml @@ -1,6 +1,6 @@ name: Suspicious access to Active Directory domain database id: a30c100e-28d0-4aa0-b98d-0d38025c2c29 -version: 1.0.3 +version: 1.0.4 description: | Detects suspicious access to the Active Directory domain database. Adversaries may attempt to access or create a copy of the Active Directory @@ -17,18 +17,16 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1003/003/ condition: > - open_file - and + open_file and file.path imatches - ( - '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\NTDS\\ntds.dit', - '?:\\WINDOWS\\NTDS\\ntds.dit' - ) - and + ( + '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\NTDS\\ntds.dit', + '?:\\WINDOWS\\NTDS\\ntds.dit' + ) and ps.exe not imatches - ( - '?:\\Windows\\System32\\lsass.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe' - ) + ( + '?:\\Windows\\System32\\lsass.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe' + ) min-engine-version: 3.0.0 diff --git a/rules/credential_access_suspicious_access_to_unattended_panther_files.yml b/rules/credential_access_suspicious_access_to_unattended_panther_files.yml index a9868f7f2..27187a463 100644 --- a/rules/credential_access_suspicious_access_to_unattended_panther_files.yml +++ b/rules/credential_access_suspicious_access_to_unattended_panther_files.yml @@ -1,6 +1,6 @@ name: Suspicious access to Unattended Panther files id: d305fb15-6ad1-4d61-a84b-ada462f23a55 -version: 1.0.3 +version: 1.0.4 description: | Identifies suspicious to access to unattend.xml files where credentials are commonly stored within the Panther directory. Adversaries may search local @@ -17,21 +17,19 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1552/001/ condition: > - open_file - and + open_file and file.path imatches - ( - '?:\\Windows\\Panther\\Unattend\\Unattended.xml', - '?:\\Windows\\Panther\\Unattend\\Unattend.xml', - '?:\\Windows\\Panther\\Unattended.xml', - '?:\\Windows\\Panther\\Unattend.xml' - ) - and + ( + '?:\\Windows\\Panther\\Unattend\\Unattended.xml', + '?:\\Windows\\Panther\\Unattend\\Unattend.xml', + '?:\\Windows\\Panther\\Unattended.xml', + '?:\\Windows\\Panther\\Unattend.xml' + ) and ps.exe not imatches - ( - '?:\\Program Files\\*', - '?:\\Program Files(x86)\\*', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe' - ) + ( + '?:\\Program Files\\*', + '?:\\Program Files(x86)\\*', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe' + ) min-engine-version: 3.0.0 diff --git a/rules/credential_access_suspicious_access_to_windows_dpapi_master_keys.yml b/rules/credential_access_suspicious_access_to_windows_dpapi_master_keys.yml index 67b60e95d..51a50d4a6 100644 --- a/rules/credential_access_suspicious_access_to_windows_dpapi_master_keys.yml +++ b/rules/credential_access_suspicious_access_to_windows_dpapi_master_keys.yml @@ -1,6 +1,6 @@ name: Suspicious access to Windows DPAPI Master Keys id: b1d5732a-5ad4-4cdd-8791-c22e34c591e5 -version: 1.0.3 +version: 1.0.4 description: | Detects suspicious processes accessing the Windows Data Protection API Master keys which is a sign of potential credential stealing. @@ -24,21 +24,19 @@ references: - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords condition: > - open_file - and + open_file and file.path imatches - ( - '?:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\Users\\*', - '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\S-1-5-21*\\*', - '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\S-1-12-1-*\\*' - ) - and + ( + '?:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\Users\\*', + '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\S-1-5-21*\\*', + '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\S-1-12-1-*\\*' + ) and ps.exe not imatches - ( - '?:\\Program Files\\*', - '?:\\Program Files(x86)\\*', - '?:\\Windows\\System32\\*', - '?:\\Windows\\SysWOW64\\*' - ) + ( + '?:\\Program Files\\*', + '?:\\Program Files(x86)\\*', + '?:\\Windows\\System32\\*', + '?:\\Windows\\SysWOW64\\*' + ) min-engine-version: 3.0.0 diff --git a/rules/credential_access_suspicious_access_to_windows_manager_files.yml b/rules/credential_access_suspicious_access_to_windows_manager_files.yml index 62f9aa076..e3b98ca87 100644 --- a/rules/credential_access_suspicious_access_to_windows_manager_files.yml +++ b/rules/credential_access_suspicious_access_to_windows_manager_files.yml @@ -1,6 +1,6 @@ name: Suspicious access to Windows Credential Manager files id: 4ab688f7-94e2-481b-9c7f-c49f3a79a379 -version: 1.0.3 +version: 1.0.4 description: | Identifies suspicious processes trying to acquire credentials from the Windows Credential Manager. labels: @@ -15,19 +15,17 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/ condition: > - open_file - and + open_file and file.path imatches - ( - '?:\\Users\\*\\AppData\\*\\Microsoft\\Credentials\\*', - '?:\\Windows\\System32\\config\\systemprofile\\AppData\\*\\Microsoft\\Credentials\\*' - ) - and + ( + '?:\\Users\\*\\AppData\\*\\Microsoft\\Credentials\\*', + '?:\\Windows\\System32\\config\\systemprofile\\AppData\\*\\Microsoft\\Credentials\\*' + ) and ps.exe not imatches - ( - '?:\\Program Files\\*', - '?:\\Program Files(x86)\\*', - '?:\\Windows\\System32\\lsass.exe' - ) + ( + '?:\\Program Files\\*', + '?:\\Program Files(x86)\\*', + '?:\\Windows\\System32\\lsass.exe' + ) min-engine-version: 3.0.0 diff --git a/rules/credential_access_suspicious_access_to_windows_vault_files.yml b/rules/credential_access_suspicious_access_to_windows_vault_files.yml index 16ac6729f..005f051bc 100644 --- a/rules/credential_access_suspicious_access_to_windows_vault_files.yml +++ b/rules/credential_access_suspicious_access_to_windows_vault_files.yml @@ -1,6 +1,6 @@ name: Suspicious access to Windows Vault files id: 44400221-f98d-424a-9388-497c75b18924 -version: 1.0.3 +version: 1.0.4 description: | Identifies attempts from adversaries to acquire credentials from Vault files. labels: @@ -15,22 +15,19 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/ condition: > - open_file - and + open_file and file.path imatches - ( - '?:\\Users\\*\\AppData\\*\\Microsoft\\Vault\\*\\*', - '?:\\ProgramData\\Microsoft\\Vault\\*' - ) - and - file.extension in vault_extensions - and + ( + '?:\\Users\\*\\AppData\\*\\Microsoft\\Vault\\*\\*', + '?:\\ProgramData\\Microsoft\\Vault\\*' + ) and + file.extension in vault_extensions and ps.exe not imatches - ( - '?:\\Program Files\\*', - '?:\\Program Files(x86)\\*', - '?:\\Windows\\System32\\lsass.exe', - '?:\\Windows\\System32\\svchost.exe' - ) + ( + '?:\\Program Files\\*', + '?:\\Program Files(x86)\\*', + '?:\\Windows\\System32\\lsass.exe', + '?:\\Windows\\System32\\svchost.exe' + ) min-engine-version: 3.0.0 diff --git a/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml b/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml index 0c6e93b36..183c59a4e 100644 --- a/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml +++ b/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml @@ -1,6 +1,6 @@ name: Suspicious security package DLL loaded id: 2c74f176-9a95-4344-a1aa-15aa06e16919 -version: 1.1.2 +version: 1.1.3 description: | Attackers can abuse Windows Security Support Provider and Authentication Packages to dynamically inject a Security Package into the Local Security Authority Subsystem Service @@ -20,8 +20,7 @@ references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package condition: > - ps.name ~= 'lsass.exe' and thread.callstack.modules imatches ('?:\\Windows\\System32\\sspisrv.dll') - and + ps.name ~= 'lsass.exe' and thread.callstack.modules imatches ('?:\\Windows\\System32\\sspisrv.dll') and (load_unsigned_or_untrusted_module) min-engine-version: 3.0.0 diff --git a/rules/credential_access_suspicious_vault_client_dll_load.yml b/rules/credential_access_suspicious_vault_client_dll_load.yml index 344308055..deb0da9ba 100644 --- a/rules/credential_access_suspicious_vault_client_dll_load.yml +++ b/rules/credential_access_suspicious_vault_client_dll_load.yml @@ -1,6 +1,6 @@ name: Suspicious Vault client DLL load id: 64af2e2e-2309-4079-9c0f-985f1dd930f5 -version: 1.0.2 +version: 1.0.3 description: | Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided by the Credential Vault Client Library to enumerate or harvest saved credentials. @@ -21,35 +21,27 @@ references: condition: > sequence maxspan 2m - |spawn_process and ps.exe != '' - and - not + |spawn_process and + ps.exe != '' and + not ( - ps.child.exe imatches - ( - '?:\\Windows\\System32\\MDMAppInstaller.exe', - '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe', - '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe', - '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe', - '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe', - '?:\\Windows\\winsxs\\*\\TiWorker.exe' - ) - or - (ps.child.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) - or - (ps.child.exe imatches '?:\\Windows\\System32\\RuntimeBroker.exe') - or - (ps.exe imatches ('?:\\Program Files\\WindowsApps\\Microsoft.*.exe', '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe')) - or - (ps.child.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.child.args imatches ('-ServerName:*')) - or - (ps.child.exe imatches '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe') - or - (ps.child.exe imatches '?:\\WINDOWS\\uus\\*\\MoUsoCoreWorker.exe') - or - (ps.exe imatches '?:\\Windows\\System32\\services.exe') - or + ps.child.exe imatches + ( + '?:\\Windows\\System32\\MDMAppInstaller.exe', + '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe', + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe', + '?:\\Windows\\winsxs\\*\\TiWorker.exe' + ) or + (ps.child.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) or + (ps.child.exe imatches '?:\\Windows\\System32\\RuntimeBroker.exe') or + (ps.exe imatches ('?:\\Program Files\\WindowsApps\\Microsoft.*.exe', '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe')) or + (ps.child.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.child.args imatches ('-ServerName:*')) or + (ps.child.exe imatches '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe') or + (ps.child.exe imatches '?:\\WINDOWS\\uus\\*\\MoUsoCoreWorker.exe') or + (ps.exe imatches '?:\\Windows\\System32\\services.exe') or (ps.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe') ) | by ps.child.uuid diff --git a/rules/credential_access_unusual_access_to_ssh_keys.yml b/rules/credential_access_unusual_access_to_ssh_keys.yml index 4dcdf89d1..cf092ba2d 100644 --- a/rules/credential_access_unusual_access_to_ssh_keys.yml +++ b/rules/credential_access_unusual_access_to_ssh_keys.yml @@ -1,6 +1,6 @@ name: Unusual access to SSH keys id: 90f5c1bd-abd6-4d1b-94e0-229f04473d60 -version: 1.0.4 +version: 1.0.5 description: | Identifies access by unusual process to saved SSH keys. labels: @@ -15,22 +15,21 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1552/001/ condition: > - open_file and file.path imatches '?:\\Users\\*\\.ssh\\known_hosts' - and + open_file and + file.path imatches '?:\\Users\\*\\.ssh\\known_hosts' and ps.exe not imatches - ( - '?:\\Program Files\\*', - '?:\\Program Files(x86)\\*', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', - '?:\\Windows\\System32\\svchost.exe' - ) - and + ( + '?:\\Program Files\\*', + '?:\\Program Files(x86)\\*', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', + '?:\\Windows\\System32\\svchost.exe' + ) and ps.name not imatches - ( - 'PuTTYNG.exe', - 'putty*.exe', - 'ssh.exe', - 'WinSCP.exe' - ) + ( + 'PuTTYNG.exe', + 'putty*.exe', + 'ssh.exe', + 'WinSCP.exe' + ) min-engine-version: 3.0.0 diff --git a/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml b/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml index d9c4af1fb..75e2f10b3 100644 --- a/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml +++ b/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml @@ -1,6 +1,6 @@ name: Unusual access to Web Browser Credential stores id: 9d889b2b-ca13-4a04-8919-ff1151f23a71 -version: 1.0.3 +version: 1.0.4 description: | Identifies access to Web Browser Credential stores by unusual processes. labels: @@ -15,18 +15,17 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1555/003/ condition: > - open_file and file.path imatches web_browser_cred_stores - and - ps.name not iin web_browser_binaries - and + open_file and + file.path imatches web_browser_cred_stores and + ps.name not iin web_browser_binaries and ps.exe not imatches - ( - '?:\\Program Files\\*', - '?:\\Program Files(x86)\\*', - '*\\Windows\\System32\\SearchProtocolHost.exe', - '*\\Windows\\explorer.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe' - ) + ( + '?:\\Program Files\\*', + '?:\\Program Files(x86)\\*', + '*\\Windows\\System32\\SearchProtocolHost.exe', + '*\\Windows\\explorer.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe' + ) min-engine-version: 3.0.0 diff --git a/rules/credential_access_unusual_access_to_windows_credential_history.yml b/rules/credential_access_unusual_access_to_windows_credential_history.yml index aa4b3e6c7..08e4e97a0 100644 --- a/rules/credential_access_unusual_access_to_windows_credential_history.yml +++ b/rules/credential_access_unusual_access_to_windows_credential_history.yml @@ -1,6 +1,6 @@ name: Unusual access to Windows Credential history files id: 9d94062f-2cf3-407c-bd65-4072fe4b167f -version: 1.0.4 +version: 1.0.5 description: | Detects unusual accesses to the Windows Credential history file. The CREDHIST file contains all previous password-linked master key hashes used by @@ -18,14 +18,14 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/ condition: > - open_file and file.path imatches '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\CREDHIST' - and + open_file and + file.path imatches '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\CREDHIST' and ps.exe not imatches - ( - '?:\\Program Files\\*', - '?:\\Windows\\System32\\lsass.exe', - '?:\\Windows\\System32\\svchost.exe', - '?:\\Windows\\ccmcache\\*.exe' - ) + ( + '?:\\Program Files\\*', + '?:\\Windows\\System32\\lsass.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\ccmcache\\*.exe' + ) min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml b/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml index 56372b30e..4b409c6d4 100644 --- a/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml +++ b/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml @@ -1,6 +1,6 @@ name: AppDomain Manager injection via CLR search order hijacking id: 9319fafd-b7dc-4d85-b41a-54a8d4f1ab18 -version: 1.0.4 +version: 1.0.5 description: | Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies. The .NET framework uses the AppDomainManager class to create and manage one or more isolated runtime environments @@ -25,8 +25,8 @@ references: - https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/ condition: > - (load_unsigned_or_untrusted_module) and ps.exe != '' and ((base(dir(image.path)) ~= base(image.path, false)) or (ps.envs[APPDOMAIN_MANAGER_ASM] istartswith image.name)) - and + (load_unsigned_or_untrusted_module) + and ps.exe != '' and ((base(dir(image.path)) ~= base(image.path, false)) or (ps.envs[APPDOMAIN_MANAGER_ASM] istartswith image.name)) and pe.is_dotnet and (image.is_dotnet or thread.callstack.symbols imatches ('clr.dll!ParseManifest*')) output: > diff --git a/rules/defense_evasion_dll_loaded_via_apc_queue.yml b/rules/defense_evasion_dll_loaded_via_apc_queue.yml index 860890144..a5dff031f 100644 --- a/rules/defense_evasion_dll_loaded_via_apc_queue.yml +++ b/rules/defense_evasion_dll_loaded_via_apc_queue.yml @@ -1,6 +1,6 @@ name: DLL loaded via APC queue id: e1ee3912-ad7c-4acb-80f4-84db87e54d5e -version: 1.0.2 +version: 1.0.3 description: | Identifies loading of a DLL with a callstack originating from the thread alertable state that led to the execution of an APC routine. This may be @@ -16,18 +16,15 @@ references: - https://github.com/Idov31/Cronos condition: > - load_dll and image.name iin - ( - 'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll', - 'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll', - 'wmiutils.dll', 'vaultcli.dll', 'System.Management.Automation.dll', 'psapi.dll', - 'mstscax.dll', 'dsquery.dll', 'mstask.dll', 'bitsproxy.dll' - ) - and - thread.callstack.symbols imatches ('ntdll.dll!KiUserApcDispatcher') - and - thread.callstack.symbols imatches ('ntdll.dll!ZwDelayExecution') - and + load_dll and image.name iin + ( + 'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll', + 'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll', + 'wmiutils.dll', 'vaultcli.dll', 'System.Management.Automation.dll', 'psapi.dll', + 'mstscax.dll', 'dsquery.dll', 'mstask.dll', 'bitsproxy.dll' + ) and + thread.callstack.symbols imatches ('ntdll.dll!KiUserApcDispatcher') and + thread.callstack.symbols imatches ('ntdll.dll!ZwDelayExecution') and thread.callstack.symbols imatches ('KernelBase.dll!Sleep*') min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_dll_loaded_via_callback_function.yml b/rules/defense_evasion_dll_loaded_via_callback_function.yml index d9cbfedbb..2f0941a22 100644 --- a/rules/defense_evasion_dll_loaded_via_callback_function.yml +++ b/rules/defense_evasion_dll_loaded_via_callback_function.yml @@ -1,6 +1,6 @@ name: DLL loaded via a callback function id: c7f46d0a-10b2-421a-b33c-f4df79599f2e -version: 1.0.2 +version: 1.0.3 description: | Identifies module proxying as a method to conceal suspicious callstacks. Adversaries use module proxying the hide the origin of the LoadLibrary call from the callstack by loading the library from the callback @@ -20,19 +20,18 @@ condition: > sequence maxspan 2m |spawn_process| by ps.child.uuid - |load_dll and image.name iin - ( - 'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll', - 'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll', - 'wmiutils.dll', 'vaultcli.dll', 'System.Management.Automation.dll', 'psapi.dll', - 'mstscax.dll', 'dsquery.dll', 'mstask.dll', 'bitsproxy.dll' - ) - and thread.callstack.summary - imatches - ( - 'ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll', - 'ntdll.dll|wow64.dll|wow64cpu.dll|wow64.dll|ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll' - ) + |load_dll and image.name iin + ( + 'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll', + 'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll', + 'wmiutils.dll', 'vaultcli.dll', 'System.Management.Automation.dll', 'psapi.dll', + 'mstscax.dll', 'dsquery.dll', 'mstask.dll', 'bitsproxy.dll' + ) and + thread.callstack.summary imatches + ( + 'ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll', + 'ntdll.dll|wow64.dll|wow64cpu.dll|wow64.dll|ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll' + ) | by ps.uuid output: > diff --git a/rules/defense_evasion_dll_loaded_via_ldrpkernel32_overwrite.yml b/rules/defense_evasion_dll_loaded_via_ldrpkernel32_overwrite.yml index 3709248bb..5296c9c48 100644 --- a/rules/defense_evasion_dll_loaded_via_ldrpkernel32_overwrite.yml +++ b/rules/defense_evasion_dll_loaded_via_ldrpkernel32_overwrite.yml @@ -1,6 +1,6 @@ name: DLL loaded via LdrpKernel32 overwrite id: 56739eda-210f-4a30-a114-d55ca60976df -version: 1.0.2 +version: 1.0.3 description: | Detects attempts to bypass the standard NTDLL bootstrap process by loading a malicious DLL early through hijacking. The malicious DLL, containing attacker-controlled code, is loaded in place of the legitimate kernel32 DLL. @@ -18,17 +18,15 @@ references: - https://www.elastic.co/security-labs/peeling-back-the-curtain-with-call-stacks condition: > - (load_unsigned_or_untrusted_dll) and thread.callstack.symbols imatches ('*!BaseThreadInitThunk*') - and - image.path not imatches '?:\\Windows\\assembly\\NativeImages_*\\System.Numerics.ni.dll' - and - not - foreach(thread._callstack, $frame, - $frame.symbol imatches ('?:\\Windows\\System32\\kernel32.dll!BaseThreadInitThunk*', - '?:\\Windows\\SysWOW64\\kernel32.dll!BaseThreadInitThunk*', - '?:\\Windows\\WinSxS\\*\\kernel32.dll!BaseThreadInitThunk*', - '?:\\Windows\\WinSxS\\Temp\\PendingDeletes\\*!BaseThreadInitThunk*', - '\\Device\\*\\Windows\\*\\kernel32.dll!BaseThreadInitThunk*')) + (load_unsigned_or_untrusted_dll) and + thread.callstack.symbols imatches ('*!BaseThreadInitThunk*') and + image.path not imatches '?:\\Windows\\assembly\\NativeImages_*\\System.Numerics.ni.dll' and + not foreach(thread._callstack, $frame, + $frame.symbol imatches ('?:\\Windows\\System32\\kernel32.dll!BaseThreadInitThunk*', + '?:\\Windows\\SysWOW64\\kernel32.dll!BaseThreadInitThunk*', + '?:\\Windows\\WinSxS\\*\\kernel32.dll!BaseThreadInitThunk*', + '?:\\Windows\\WinSxS\\Temp\\PendingDeletes\\*!BaseThreadInitThunk*', + '\\Device\\*\\Windows\\*\\kernel32.dll!BaseThreadInitThunk*')) action: - name: kill diff --git a/rules/defense_evasion_dll_sideloading_via_copied_binary.yml b/rules/defense_evasion_dll_sideloading_via_copied_binary.yml index 311b610dc..50c703581 100644 --- a/rules/defense_evasion_dll_sideloading_via_copied_binary.yml +++ b/rules/defense_evasion_dll_sideloading_via_copied_binary.yml @@ -1,6 +1,6 @@ name: DLL Side-Loading via a copied binary id: 80798e2c-6c37-472b-936c-1d2d6b95ff3c -version: 1.0.3 +version: 1.0.4 description: | Identifies when a binary is copied to a directory and shortly followed by the loading of an unsigned DLL from the same directory. Adversaries may @@ -20,12 +20,12 @@ labels: condition: > sequence maxspan 8m - |create_file and file.is_exec and ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') - and + |create_file and + file.is_exec and ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and thread.callstack.symbols imatches ('*CopyFile*', '*MoveFile*') | by file.path - |(load_dll) and dir(image.path) ~= dir(ps.exe) and pe.cert.subject icontains 'Microsoft' and pe.is_trusted - and + |(load_dll) and + dir(image.path) ~= dir(ps.exe) and pe.cert.subject icontains 'Microsoft' and pe.is_trusted and (image.signature.type = 'NONE' or image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED') | by ps.exe diff --git a/rules/defense_evasion_dll_sideloading_via_microsoft_office_dropped_file.yml b/rules/defense_evasion_dll_sideloading_via_microsoft_office_dropped_file.yml index a40bde259..8814aa4c0 100644 --- a/rules/defense_evasion_dll_sideloading_via_microsoft_office_dropped_file.yml +++ b/rules/defense_evasion_dll_sideloading_via_microsoft_office_dropped_file.yml @@ -1,6 +1,6 @@ name: DLL Side-Loading via Microsoft Office dropped file id: d808175d-c4f8-459d-b17f-ca9a88890c04 -version: 1.0.1 +version: 1.0.2 description: | Identifies Microsoft Office process creating a DLL or other variant of an executable object which is later loaded by a trusted binary. Adversaries may exploit this behavior by delivering malicious @@ -19,17 +19,19 @@ labels: condition: > sequence maxspan 6m - |create_file and (file.extension iin ('.dll', '.cpl', '.ocx') or file.is_dll) and ps.name iin msoffice_binaries| by file.path - |(load_unsigned_or_untrusted_dll) and pe.is_signed = true and ps.name not iin msoffice_binaries - and - image.path not imatches '?:\\Windows\\assembly\\NativeImages_*' - and + |create_file and + (file.extension iin ('.dll', '.cpl', '.ocx') or file.is_dll) and + ps.name iin msoffice_binaries + | by file.path + |(load_unsigned_or_untrusted_dll) + and pe.is_signed = true and ps.name not iin msoffice_binaries and + image.path not imatches '?:\\Windows\\assembly\\NativeImages_*' and ps.exe not imatches - ( - '?:\\Windows\\System32\\msiexec.exe', - '?:\\Windows\\SysWOW64\\msiexec.exe', - '?:\\Windows\\System32\\spoolsv.exe' - ) + ( + '?:\\Windows\\System32\\msiexec.exe', + '?:\\Windows\\SysWOW64\\msiexec.exe', + '?:\\Windows\\System32\\spoolsv.exe' + ) | by image.path output: > diff --git a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml index e6c31313d..fc625ebfe 100644 --- a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml +++ b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml @@ -1,6 +1,6 @@ name: .NET assembly loaded by unmanaged process id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a -version: 1.0.7 +version: 1.0.8 description: | Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method. @@ -16,26 +16,24 @@ references: - https://www.ired.team/offensive-security/code-injection-process-injection/injecting-and-executing-.net-assemblies-to-unmanaged-process condition: > - (load_unsigned_or_untrusted_module) and ps.exe != '' and pe.is_dotnet = false - and - (image.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) - and + (load_unsigned_or_untrusted_module) and + ps.exe != '' and pe.is_dotnet = false and + (image.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) and image.path not imatches - ( - '?:\\Windows\\assembly\\*\\*.ni.dll', - '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll', - '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll' - ) - and + ( + '?:\\Windows\\assembly\\*\\*.ni.dll', + '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll', + '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll' + ) and ps.exe not imatches - ( - '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe', - '?:\\Program Files\\WindowsApps\\*\\WidgetService.exe', - '?:\\Program Files\\WindowsApps\\*\\PhoneExperienceHost.exe', - '?:\\Program Files\\WindowsApps\\*\\WindowsSandboxServer.exe', - '?:\\Program Files\\Conexant\\SAII\\SmartAudio.exe', - '?:\\Windows\\Microsoft.NET\\Framework*\\mscorsvw.exe' - ) + ( + '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe', + '?:\\Program Files\\WindowsApps\\*\\WidgetService.exe', + '?:\\Program Files\\WindowsApps\\*\\PhoneExperienceHost.exe', + '?:\\Program Files\\WindowsApps\\*\\WindowsSandboxServer.exe', + '?:\\Program Files\\Conexant\\SAII\\SmartAudio.exe', + '?:\\Windows\\Microsoft.NET\\Framework*\\mscorsvw.exe' + ) output: > .NET assembly %image.path loaded by unmanaged process %ps.exe diff --git a/rules/defense_evasion_hidden_registry_key_creation.yml b/rules/defense_evasion_hidden_registry_key_creation.yml index 45abfebf5..dc7c9e8e6 100644 --- a/rules/defense_evasion_hidden_registry_key_creation.yml +++ b/rules/defense_evasion_hidden_registry_key_creation.yml @@ -1,6 +1,6 @@ name: Hidden registry key creation id: 65deda38-9b1d-42a0-9f40-a68903e81b49 -version: 1.1.5 +version: 1.1.6 description: | Identifies the creation of a hidden registry key. Adversaries can utilize the native NtSetValueKey API to create a hidden registry key and conceal payloads @@ -16,28 +16,25 @@ references: - https://github.com/outflanknl/SharpHide condition: > - set_value and evt.pid != 4 and registry.path endswith '\\' - and - thread.callstack.symbols imatches ('ntdll.dll!NtSetValueKey', 'ntdll.dll!ZwSetValueKey') - and - thread.callstack.symbols not imatches ('KernelBase.dll!RegSetValue*', 'KernelBase.dll!RegLoadAppKey*', 'KernelBase.dll!GetFileAttributes*') - and + set_value and + evt.pid != 4 and registry.path endswith '\\' and + thread.callstack.symbols imatches ('ntdll.dll!NtSetValueKey', 'ntdll.dll!ZwSetValueKey') and + thread.callstack.symbols not imatches ('KernelBase.dll!RegSetValue*', 'KernelBase.dll!RegLoadAppKey*', 'KernelBase.dll!GetFileAttributes*') and ps.exe not imatches - ( - '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe', - '?:\\Program Files\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe', - '?:\\Windows\\System32\\sppsvc.exe', - '?:\\Windows\\System32\\compattelrunner.exe', - '?:\\Windows\\explorer.exe', - '?:\\Windows\\System32\\lsass.exe', - '?:\\Windows\\System32\\svchost.exe' - ) - and + ( + '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe', + '?:\\Program Files\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe', + '?:\\Windows\\System32\\sppsvc.exe', + '?:\\Windows\\System32\\compattelrunner.exe', + '?:\\Windows\\explorer.exe', + '?:\\Windows\\System32\\lsass.exe', + '?:\\Windows\\System32\\svchost.exe' + ) and ps.parent.exe not imatches - ( - '?:\\WINDOWS\\uus\\*\\wuaucltcore.exe', - '?:\\WINDOWS\\System32\\svchost.exe' - ) + ( + '?:\\WINDOWS\\uus\\*\\wuaucltcore.exe', + '?:\\WINDOWS\\System32\\svchost.exe' + ) output: > Hidden registry key %registry.path created by process %ps.exe diff --git a/rules/defense_evasion_potential_injection_via_dotnet_debugging.yml b/rules/defense_evasion_potential_injection_via_dotnet_debugging.yml index 99c7a2494..1cf68a50b 100644 --- a/rules/defense_evasion_potential_injection_via_dotnet_debugging.yml +++ b/rules/defense_evasion_potential_injection_via_dotnet_debugging.yml @@ -1,6 +1,6 @@ name: Potential injection via .NET debugging id: 193ebf2f-e365-4f57-a639-275b7cdf0319 -version: 1.0.3 +version: 1.0.4 description: | Identifies creation of a process on behalf of the CLR debugging facility which may be indicative of code injection. The CLR interface utilizes the OpenVirtualProcess @@ -17,17 +17,17 @@ references: - https://learn.microsoft.com/en-us/dotnet/framework/unmanaged-api/debugging/iclrdebugging-openvirtualprocess-method condition: > - spawn_process and ps.exe != '' and thread.callstack.symbols imatches ('mscordbi.dll!OpenVirtualProcess') - and + spawn_process and + ps.exe != '' and thread.callstack.symbols imatches ('mscordbi.dll!OpenVirtualProcess') and ps.child.exe not imatches - ( - '?:\\Visual Studio\\Common?\\IDE\\devenv.exe', - '?:\\Program Files\\Microsoft Visual Studio\\*.exe', - '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe', - '?:\\Program Files\\IIS Express\\iisexpress.exe', - '?:\\Program Files (x86)\\IIS Express\\iisexpress.exe' - ) - and ps.exe not imatches '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe' + ( + '?:\\Visual Studio\\Common?\\IDE\\devenv.exe', + '?:\\Program Files\\Microsoft Visual Studio\\*.exe', + '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe', + '?:\\Program Files\\IIS Express\\iisexpress.exe', + '?:\\Program Files (x86)\\IIS Express\\iisexpress.exe' + ) and + ps.exe not imatches '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe' output: > Process %ps.exe attached the .NET debugger to process %ps.child.exe for potential code injection diff --git a/rules/defense_evasion_potential_process_creation_via_shellcode.yml b/rules/defense_evasion_potential_process_creation_via_shellcode.yml index fa091e184..27adbd0a1 100644 --- a/rules/defense_evasion_potential_process_creation_via_shellcode.yml +++ b/rules/defense_evasion_potential_process_creation_via_shellcode.yml @@ -1,6 +1,6 @@ name: Potential process creation via shellcode id: 7a918532-12d1-4aa2-8c46-8769c67cac07 -version: 1.0.1 +version: 1.0.2 description: | Identifies the creation of a process with stack frames originating from floating memory area while invoking commonly used Windows API functions like WinExec. This behavior is a typical indicator of @@ -16,8 +16,8 @@ references: - https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec condition: > - spawn_process and thread.callstack.is_unbacked = true and thread.callstack.summary imatches '*kernel32.dll|unbacked*' - and + spawn_process and + thread.callstack.is_unbacked = true and thread.callstack.summary imatches '*kernel32.dll|unbacked*' and thread.callstack.symbols imatches ('kernel32.dll!WinExec*') output: > diff --git a/rules/defense_evasion_potential_process_hollowing_injection.yml b/rules/defense_evasion_potential_process_hollowing_injection.yml index 744770a62..52244abc4 100644 --- a/rules/defense_evasion_potential_process_hollowing_injection.yml +++ b/rules/defense_evasion_potential_process_hollowing_injection.yml @@ -1,6 +1,6 @@ name: Potential Process Hollowing id: 2a3fbae8-5e8c-4b71-b9da-56c3958c0d53 -version: 1.1.5 +version: 1.1.6 description: | Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code @@ -29,14 +29,18 @@ references: condition: > sequence maxspan 2m - |spawn_process and ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and ps.exe not imatches - ( - '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe', - '?:\\Users\\*\\AppData\\Local\\Programs\\Common\\OneDriveCloud\\taskhostw.exe' - ) + |spawn_process and + ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and + ps.exe not imatches + ( + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe', + '?:\\Users\\*\\AppData\\Local\\Programs\\Common\\OneDriveCloud\\taskhostw.exe' + ) | by ps.child.uuid - |unmap_view_of_section and file.view.size > 20000 and file.view.protection != 'READONLY' and (length(file.name) = 0 or not ext(file.name) = '.dll')| by ps.uuid + |unmap_view_of_section and + file.view.size > 20000 and file.view.protection != 'READONLY' and (length(file.name) = 0 or not ext(file.name) = '.dll') + | by ps.uuid |load_executable| by ps.uuid action: - name: kill diff --git a/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml b/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml index 5f2178685..cb52e465c 100644 --- a/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml +++ b/rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml @@ -1,6 +1,6 @@ name: Potential process injection via tainted memory section id: 8e4182f3-02e7-4e95-afc3-93d18c9a9c09 -version: 1.0.4 +version: 1.0.5 description: | Identifies potential process injection when the adversary creates and maps a memory section with RW protection rights followed by mapping of the same memory section in @@ -22,26 +22,30 @@ references: condition: > sequence maxspan 1m - |map_view_of_section and file.view.protection = 'READWRITE' and evt.pid != 4 and file.view.size >= 4096 and ps.exe not imatches - ( - '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\NisSrv.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpDefenderCoreService.exe', - '?:\\WINDOWS\\System32\\csrss.exe', - '?:\\WINDOWS\\Explorer.exe', - '?:\\WINDOWS\\System32\\svchost.exe', - '?:\\WINDOWS\\System32\\lsass.exe', - '?:\\WINDOWS\\System32\\SecurityHealthService.exe', - '?:\\WINDOWS\\System32\\services.exe' - ) + |map_view_of_section and + file.view.protection = 'READWRITE' and evt.pid != 4 and file.view.size >= 4096 and + ps.exe not imatches + ( + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\NisSrv.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpDefenderCoreService.exe', + '?:\\WINDOWS\\System32\\csrss.exe', + '?:\\WINDOWS\\Explorer.exe', + '?:\\WINDOWS\\System32\\svchost.exe', + '?:\\WINDOWS\\System32\\lsass.exe', + '?:\\WINDOWS\\System32\\SecurityHealthService.exe', + '?:\\WINDOWS\\System32\\services.exe' + ) | as e1 - |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and file.key = $e1.file.key and evt.pid != $e1.evt.pid and ps.exe not imatches - ( - '?:\\Program Files\\Mozilla Firefox\\firefox.exe', - '?:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe' - ) + |map_view_of_section and + file.view.protection = 'READONLY|EXECUTE' and file.key = $e1.file.key and evt.pid != $e1.evt.pid and + ps.exe not imatches + ( + '?:\\Program Files\\Mozilla Firefox\\firefox.exe', + '?:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe' + ) | action: - name: kill diff --git a/rules/defense_evasion_potential_shellcode_execution_via_etw_logger_thread.yml b/rules/defense_evasion_potential_shellcode_execution_via_etw_logger_thread.yml index 78c9709ae..e5377afb6 100644 --- a/rules/defense_evasion_potential_shellcode_execution_via_etw_logger_thread.yml +++ b/rules/defense_evasion_potential_shellcode_execution_via_etw_logger_thread.yml @@ -1,6 +1,6 @@ name: Potential shellcode execution via ETW logger thread id: 3e915273-5ea0-4576-afc9-b018e2d53545 -version: 1.0.1 +version: 1.0.2 description: | Adversaries may employ the undocumented EtwpCreateEtwThread function to execute shellcode within the local process address space. @@ -16,17 +16,14 @@ references: - https://github.com/Ne0nd0g/go-shellcode/tree/master?tab=readme-ov-file#EtwpCreateEtwThread condition: > - create_thread and evt.pid != 4 and thread.callstack.symbols iin ('ntdll.dll!EtwpCreateEtwThread') - and - not - (ps.exe imatches - ( - '?:\\WINDOWS\\System32\\ProvTool.exe', - '?:\\Windows\\System32\\LogonUI.exe' - ) - or - thread.callstack.symbols imatches ('ntdll.dll!EtwProcessPrivateLoggerRequest', 'sechost.dll!ControlTrace*') - ) + create_thread and + evt.pid != 4 and thread.callstack.symbols iin ('ntdll.dll!EtwpCreateEtwThread') and + not (ps.exe imatches + ( + '?:\\WINDOWS\\System32\\ProvTool.exe', + '?:\\Windows\\System32\\LogonUI.exe' + ) or + thread.callstack.symbols imatches ('ntdll.dll!EtwProcessPrivateLoggerRequest', 'sechost.dll!ControlTrace*')) output: > Potential shellcode execution via EtwpCreateEtwThread API initiated by process %ps.exe diff --git a/rules/defense_evasion_potential_thread_execution_hijacking.yml b/rules/defense_evasion_potential_thread_execution_hijacking.yml index 6017a00af..6a7f58d35 100644 --- a/rules/defense_evasion_potential_thread_execution_hijacking.yml +++ b/rules/defense_evasion_potential_thread_execution_hijacking.yml @@ -1,6 +1,6 @@ name: Potential thread execution hijacking id: 8b9f6d47-e9ba-4b3a-9da2-d7bf27e08ca9 -version: 1.0.2 +version: 1.0.3 description: | Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of @@ -30,11 +30,13 @@ condition: > sequence maxspan 2m by ps.uuid - |open_remote_thread and thread.access.mask.names in ('ALL_ACCESS', 'SUSPEND_THREAD') and ps.exe not imatches - ( - '?:\\Program Files\\*', - '?:\\Program Files (x86)\\*' - ) + |open_remote_thread and + thread.access.mask.names in ('ALL_ACCESS', 'SUSPEND_THREAD') and + ps.exe not imatches + ( + '?:\\Program Files\\*', + '?:\\Program Files (x86)\\*' + ) | |set_thread_context| action: diff --git a/rules/defense_evasion_process_execution_from_self_deleting_binary.yml b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml index 713a805fd..911f657c6 100644 --- a/rules/defense_evasion_process_execution_from_self_deleting_binary.yml +++ b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml @@ -1,6 +1,6 @@ name: Process execution from a self-deleting binary id: 0f0da517-b22c-4d14-9adc-36baeb621cf7 -version: 1.0.3 +version: 1.0.4 description: | Identifies the execution of the process from a self-deleting binary. The attackers can abuse undocumented API functions to create a process from a file-backed section. The file @@ -20,22 +20,21 @@ references: condition: > sequence maxspan 1m - |delete_file and file.info.is_disposition_delete_file - and + |delete_file and + file.info.is_disposition_delete_file and ps.exe not imatches - ( - '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe', - '?:\\WINDOWS\\uus\\packages\\preview\\*\\wuaucltcore.exe', - '?:\\WINDOWS\\uus\\packages\\preview\\*\\MoUsoCoreWorker.exe', - '?:\\WINDOWS\\System32\\svchost.exe', - '?:\\WINDOWS\\winsxs\\*\\TiWorker.exe' - ) - and + ( + '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe', + '?:\\WINDOWS\\uus\\packages\\preview\\*\\wuaucltcore.exe', + '?:\\WINDOWS\\uus\\packages\\preview\\*\\MoUsoCoreWorker.exe', + '?:\\WINDOWS\\System32\\svchost.exe', + '?:\\WINDOWS\\winsxs\\*\\TiWorker.exe' + ) and file.path not imatches - ( - '?:\\Windows\\SoftwareDistribution\\Download\\*', - '?:\\Windows\\uus\\packages\\preview\\*' - ) + ( + '?:\\Windows\\SoftwareDistribution\\Download\\*', + '?:\\Windows\\uus\\packages\\preview\\*' + ) | by file.name |load_module and ext(image.path) != '.dll'| by image.name diff --git a/rules/defense_evasion_process_spawned_via_remote_thread.yml b/rules/defense_evasion_process_spawned_via_remote_thread.yml index 76fd1fcf3..86394a599 100644 --- a/rules/defense_evasion_process_spawned_via_remote_thread.yml +++ b/rules/defense_evasion_process_spawned_via_remote_thread.yml @@ -1,6 +1,6 @@ name: Process spawned via remote thread id: 9a2c7b40-4e5f-4edf-b02e-79cd33c9a137 -version: 1.0.3 +version: 1.0.4 description: | Identifies the creation of a process with the parent call stack not revealing normal API functions for process creation. This may be a @@ -14,10 +14,8 @@ labels: technique.ref: https://attack.mitre.org/techniques/T1055/ condition: > - spawn_process - and - thread.callstack.symbols imatches ('ntdll.dll!ZwCreateThreadEx*', 'ntdll.dll!NtCreateThreadEx*', 'ntdll.dll!RtlCreateUserThread') - and + spawn_process and + thread.callstack.symbols imatches ('ntdll.dll!ZwCreateThreadEx*', 'ntdll.dll!NtCreateThreadEx*', 'ntdll.dll!RtlCreateUserThread') and thread.callstack.symbols not imatches ('*CreateProcess*', '*CreateUserProcess*') action: - name: kill diff --git a/rules/defense_evasion_regsvr32_scriptlet_execution.yml b/rules/defense_evasion_regsvr32_scriptlet_execution.yml index 35667033c..2a93b5dd1 100644 --- a/rules/defense_evasion_regsvr32_scriptlet_execution.yml +++ b/rules/defense_evasion_regsvr32_scriptlet_execution.yml @@ -1,6 +1,6 @@ name: Regsvr32 scriptlet execution id: 128f5254-67c9-43ac-b901-18b3731b1d0b -version: 1.0.2 +version: 1.0.3 description: | Identifies the execution of a scriptlet file by regsvr32.exe process. regsvr32.exe allows attackers to run arbitrary scripts to proxy execution of malicious code. @@ -16,55 +16,46 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1218/010/ condition: > - spawn_process - and - (ps.child.name ~= 'regsvr32.exe' or ps.child.pe.file.name ~= 'regsvr32.exe') - and - ( - (ps.child.cmdline imatches '*scrobj*' - and - ps.child.cmdline imatches - ( - '*/i:*', - '*-i:*', - '*.sct*' - ) - ) - or - (ps.child.cmdline imatches '* /u*' - and - ps.child.cmdline imatches - ( - '* -i:*http*', - '* /i:*http*', - '* -i:*ftp*', - '* /i:*ftp*', - '* -i:C:\\*', - '* /i:\"C:\\*', - '* /i:C:\\*', - '* -i:\"C:\\*' - ) - ) - or - (ps.child.cmdline imatches - ( - '* /i:*', - '* -i:*' - ) - and - not - ps.child.cmdline imatches - ( - '* /n*', - '* -n*' + spawn_process and + (ps.child.name ~= 'regsvr32.exe' or ps.child.pe.file.name ~= 'regsvr32.exe') and + ( + (ps.child.cmdline imatches '*scrobj*' and + ps.child.cmdline imatches + ( + '*/i:*', + '*-i:*', + '*.sct*' + ) + ) or + (ps.child.cmdline imatches '* /u*' and + ps.child.cmdline imatches + ( + '* -i:*http*', + '* /i:*http*', + '* -i:*ftp*', + '* /i:*ftp*', + '* -i:C:\\*', + '* /i:\"C:\\*', + '* /i:C:\\*', + '* -i:\"C:\\*' + ) + ) or + (ps.child.cmdline imatches + ( + '* /i:*', + '* -i:*' + ) and + ps.child.cmdline not imatches + ( + '* /n*', + '* -n*' + ) ) - ) - ) - and + ) and ps.child.exe not imatches - ( - '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe' - ) + ( + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe' + ) min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml b/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml index f53ad80fe..57f844c7e 100644 --- a/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml +++ b/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml @@ -1,6 +1,6 @@ name: Suspicious access to the hosts file id: f7b2c9d3-99e7-41d5-bb4a-6ea1a5f7f9e2 -version: 1.0.3 +version: 1.0.4 description: > Identifies suspicious process accessing the Windows hosts file for potential tampering. Adversaries can hijack the hosts files to block traffic to download/update servers or redirect the @@ -18,15 +18,15 @@ references: condition: > sequence maxspan 5m - |spawn_process and ps.child.exe not imatches - ( - '?:\\Windows\\servicing\\TrustedInstaller.exe', - '?:\\Windows\\System32\\svchost.exe', - '?:\\Windows\\System32\\MicrosoftEdgeUpdate.exe', - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe', - '?:\\Program Files\\Mozilla Firefox\\firefox.exe', - '?:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe' - ) + |spawn_process and ps.child.exe not imatches + ( + '?:\\Windows\\servicing\\TrustedInstaller.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\MicrosoftEdgeUpdate.exe', + '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe', + '?:\\Program Files\\Mozilla Firefox\\firefox.exe', + '?:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe' + ) | by ps.child.uuid |open_file and file.path imatches '?:\\Windows\\System32\\drivers\\etc\\hosts'| by ps.uuid action: diff --git a/rules/defense_evasion_suspicious_dll_loaded_via_memory_section_mapping.yml b/rules/defense_evasion_suspicious_dll_loaded_via_memory_section_mapping.yml index 9a5257f91..9ddbe5f76 100644 --- a/rules/defense_evasion_suspicious_dll_loaded_via_memory_section_mapping.yml +++ b/rules/defense_evasion_suspicious_dll_loaded_via_memory_section_mapping.yml @@ -1,6 +1,6 @@ name: Suspicious DLL loaded via memory section mapping id: b06653fb-227e-4e63-9a69-55a5a90c79e5 -version: 1.0.2 +version: 1.0.3 description: | Identifies the mapping of a memory section with RX protection followed by unsigned DLL loading. Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses @@ -21,12 +21,12 @@ condition: > sequence maxspan 2m by ps.uuid - |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and evt.pid != 4 and file.view.size >= 4096 - and - ps.exe not imatches - ( - '?:\\Program Files\\Mozilla Firefox\\firefox.exe' - ) + |map_view_of_section and + file.view.protection = 'READONLY|EXECUTE' and evt.pid != 4 and file.view.size >= 4096 and + ps.exe not imatches + ( + '?:\\Program Files\\Mozilla Firefox\\firefox.exe' + ) | |(load_unsigned_or_untrusted_dll)| action: diff --git a/rules/defense_evasion_suspicious_html_application_script_execution.yml b/rules/defense_evasion_suspicious_html_application_script_execution.yml index 81b947740..9714aa2e4 100644 --- a/rules/defense_evasion_suspicious_html_application_script_execution.yml +++ b/rules/defense_evasion_suspicious_html_application_script_execution.yml @@ -1,6 +1,6 @@ name: Suspicious HTML Application script execution id: 4ec64ac2-851d-41b4-b7d2-910c21de334d -version: 1.0.2 +version: 1.0.3 description: | Identifies the execution of scripts via Microsoft HTML Application Host interpreter. Adversaries can proxy the execution of arbitrary script code through a trusted, signed utility to evade defenses. @@ -19,40 +19,39 @@ references: - https://www.ired.team/offensive-security/code-execution/t1170-mshta-code-execution condition: > - spawn_process and (ps.child.name ~= 'mshta.exe' or ps.child.pe.file.name ~= 'mshta.exe') - and + spawn_process and + (ps.child.name ~= 'mshta.exe' or ps.child.pe.file.name ~= 'mshta.exe') and ps.child.cmdline imatches - ( - '*WScript.Shell*', - '*mshtml*RunHTMLApplication*', - '*http*', - '*https*', - '*hXXps', - '*ftp*', - '*.run*', - '*window.close*', - '*mshta*', - '*mshtml*', - '*).Exec()*', - '*script*eval(*', - '*script*GetObject*', - '*vbscript*', - '*\\Users\\*\\Downloads\\*.hta*', - '*.rtf*', - '*.bat*', - '*.dll*', - '*.zip*', - '*.jpg*', - '*.png*', - '*.lnk*', - '*.doc*', - '*.xls*' - ) - and + ( + '*WScript.Shell*', + '*mshtml*RunHTMLApplication*', + '*http*', + '*https*', + '*hXXps', + '*ftp*', + '*.run*', + '*window.close*', + '*mshta*', + '*mshtml*', + '*).Exec()*', + '*script*eval(*', + '*script*GetObject*', + '*vbscript*', + '*\\Users\\*\\Downloads\\*.hta*', + '*.rtf*', + '*.bat*', + '*.dll*', + '*.zip*', + '*.jpg*', + '*.png*', + '*.lnk*', + '*.doc*', + '*.xls*' + ) and ps.exe not imatches - ( - '?:\\Program Files (x86)\\Microsoft Office\\Office*\\MSACCESS.EXE' - ) + ( + '?:\\Program Files (x86)\\Microsoft Office\\Office*\\MSACCESS.EXE' + ) action: - name: kill diff --git a/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml b/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml index e762c4811..7553d6cb5 100644 --- a/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml +++ b/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml @@ -1,6 +1,6 @@ name: Suspicious object symbolic link creation id: f9306355-1f5f-4a06-9779-195aa681db80 -version: 1.0.3 +version: 1.0.4 description: | Identifies the creation of the object symbolic link inside the object manager namespace by untrusted or unusual processes. @@ -18,20 +18,19 @@ references: - https://www.elastic.co/kr/blog/detect-block-unknown-knowndlls-windows-acl-hardening-attacks-cache-poisoning-escalation condition: > - create_symbolic_link_object and evt.pid != 4 - and - (pe.is_signed = false or pe.is_trusted = false or ps.exe not imatches - ( - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', - '?:\\WINDOWS\\system32\\svchost.exe', - '?:\\Program Files\\*', - '?:\\Program Files (x86)\\*', - '?:\\Windows\\System32\\vmwp.exe', - '?:\\Windows\\System32\\spoolsv.exe', - '?:\\Windows\\System32\\csrss.exe' - ) - ) - and + create_symbolic_link_object and evt.pid != 4 and + (pe.is_signed = false or pe.is_trusted = false or + ps.exe not imatches + ( + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', + '?:\\WINDOWS\\system32\\svchost.exe', + '?:\\Program Files\\*', + '?:\\Program Files (x86)\\*', + '?:\\Windows\\System32\\vmwp.exe', + '?:\\Windows\\System32\\spoolsv.exe', + '?:\\Windows\\System32\\csrss.exe' + ) + ) and evt.arg[target] not imatches '\\Sessions\\*\\AppContainerNamedObjects\\*' output: > diff --git a/rules/defense_evasion_suspicious_windows_defender_exclusions_registry_modification.yml b/rules/defense_evasion_suspicious_windows_defender_exclusions_registry_modification.yml index c6b58d47a..83d96506b 100644 --- a/rules/defense_evasion_suspicious_windows_defender_exclusions_registry_modification.yml +++ b/rules/defense_evasion_suspicious_windows_defender_exclusions_registry_modification.yml @@ -1,6 +1,6 @@ name: Suspicious Windows Defender exclusions registry modification id: 92fdbbea-e177-494e-8a6a-d8b055daf0e9 -version: 1.0.1 +version: 1.0.2 description: | Identifies the modification of the Windows Defender process, path, or IP address registry key exclusions by suspicious processes. Adversaries may alter the Windows Defender exclusions to bypass defenses. @@ -16,28 +16,25 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1562/001 condition: > - set_value and registry.path imatches 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\*' - and + set_value and + registry.path imatches 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\*' and ( ps.exe imatches - ( - '?:\\Users\\*\\AppData\\*', - '?:\\Users\\Public\\*', - '?:\\Windows\\Microsoft.NET\\*', - '?:\\ProgramData\\*' - ) - or - ps.name iin ('pwsh.exe', 'rundll32.exe', 'regsvr32.exe', 'cscript.exe', 'reg.exe', 'wscript.exe', 'mshta.exe', 'msbuild.exe', 'powershell.exe', 'cmd.exe') - or + ( + '?:\\Users\\*\\AppData\\*', + '?:\\Users\\Public\\*', + '?:\\Windows\\Microsoft.NET\\*', + '?:\\ProgramData\\*' + ) or + ps.name iin ('pwsh.exe', 'rundll32.exe', 'regsvr32.exe', 'cscript.exe', 'reg.exe', 'wscript.exe', 'mshta.exe', 'msbuild.exe', 'powershell.exe', 'cmd.exe') or pe.is_signed = false or pe.is_trusted = false - ) - and + ) and ps.exe not imatches - ( - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\ConfigSecurityPolicy.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\NisSrv.exe' - ) + ( + '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\ConfigSecurityPolicy.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\NisSrv.exe' + ) action: - name: kill diff --git a/rules/defense_evasion_suspicious_xsl_script_execution.yml b/rules/defense_evasion_suspicious_xsl_script_execution.yml index fb9e9e170..a9cd2a350 100644 --- a/rules/defense_evasion_suspicious_xsl_script_execution.yml +++ b/rules/defense_evasion_suspicious_xsl_script_execution.yml @@ -1,6 +1,6 @@ name: Suspicious XSL script execution id: 65136b30-14ae-46dd-b8e5-9dfa99690d74 -version: 1.0.2 +version: 1.0.3 description: | Identifies a suspicious execution of XSL script via Windows Management Instrumentation command line tool or XSL transformation utility. Adversaries may bypass application control and obscure the execution of code by embedding @@ -19,23 +19,22 @@ references: condition: > sequence maxspan 3m - |spawn_process and (((ps.child.name ~= 'wmic.exe' or ps.child.pe.file.name ~= 'wmic.exe') and ps.child.cmdline imatches - ('* format*:*', '*/format*:*', '*-format*:*') - and - ps.child.cmdline not imatches - ( - '*format:list*', - '*format:htable*', - '*format:hform*', - '*format:table*', - '*format:mof*', - '*format:value*', - '*format:rawxml*', - '*format:xml*', - '*format:csv*' - ) - ) - or + |spawn_process and + (((ps.child.name ~= 'wmic.exe' or ps.child.pe.file.name ~= 'wmic.exe') and + ps.child.cmdline imatches ('* format*:*', '*/format*:*', '*-format*:*') and + ps.child.cmdline not imatches + ( + '*format:list*', + '*format:htable*', + '*format:hform*', + '*format:table*', + '*format:mof*', + '*format:value*', + '*format:rawxml*', + '*format:xml*', + '*format:csv*' + ) + ) or ps.child.name ~= 'msxsl.exe' or ps.child.pe.file.name ~= 'msxsl.exe' ) | by ps.child.uuid diff --git a/rules/defense_evasion_system_binary_proxy_execution_via_rundll32.yml b/rules/defense_evasion_system_binary_proxy_execution_via_rundll32.yml index 714357b33..8943e3f34 100644 --- a/rules/defense_evasion_system_binary_proxy_execution_via_rundll32.yml +++ b/rules/defense_evasion_system_binary_proxy_execution_via_rundll32.yml @@ -1,6 +1,6 @@ name: System Binary Proxy Execution via Rundll32 id: 43d76718-cc46-485e-8f47-996eb7a9f83b -version: 1.0.2 +version: 1.0.3 description: | Detects the execution of rundll32.exe process with suspicious command line followed by the creation of a possibly malicious child process. @@ -24,41 +24,38 @@ references: condition: > sequence maxspan 1m - |spawn_process - and - (ps.child.name ~= 'rundll32.exe' or ps.child.pe.file.name ~= 'rundll32.exe') - and - ( - ps.child.cmdline imatches - ( - '*javascript:*', - '*vbscript:*', - '*shell32.dll*ShellExec_RunDLL*', - '*shell32*WaitForExplorerRestart*', - '*-sta*', - '*ActiveXObject*', - '*WScript.Shell*', - '*RunHTMLApplication*', - '*advpack*#12*', - '*advpack*RegisterOCX*', - '*advpack*LaunchINFSection*', - '*url.dll*FileProtocolHandler*file://*', - '*url.dll*FileProtocolHandler*.exe*', - '*zipfldr*RouteTheCall*', - '*pcwutl*LaunchApplication*', - '*pcwutl*#1*', - '*desk*InstallScreenSaver*', - '*PointFunctionCall*' - ) - or - regex(ps.child.cmdline, '(?i)[A-Z]:\\\\.+:.+$') - ) - | by ps.child.uuid - |spawn_process and ps.child.exe not imatches + |spawn_process and + (ps.child.name ~= 'rundll32.exe' or ps.child.pe.file.name ~= 'rundll32.exe') and ( - '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe' + ps.child.cmdline imatches + ( + '*javascript:*', + '*vbscript:*', + '*shell32.dll*ShellExec_RunDLL*', + '*shell32*WaitForExplorerRestart*', + '*-sta*', + '*ActiveXObject*', + '*WScript.Shell*', + '*RunHTMLApplication*', + '*advpack*#12*', + '*advpack*RegisterOCX*', + '*advpack*LaunchINFSection*', + '*url.dll*FileProtocolHandler*file://*', + '*url.dll*FileProtocolHandler*.exe*', + '*zipfldr*RouteTheCall*', + '*pcwutl*LaunchApplication*', + '*pcwutl*#1*', + '*desk*InstallScreenSaver*', + '*PointFunctionCall*' + ) or + regex(ps.child.cmdline, '(?i)[A-Z]:\\\\.+:.+$') ) + | by ps.child.uuid + |spawn_process and ps.child.exe not imatches + ( + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe' + ) | by ps.uuid action: - name: kill diff --git a/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml b/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml index f56f4ca00..30f234070 100644 --- a/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml +++ b/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml @@ -1,6 +1,6 @@ name: Thread context set from unbacked memory id: f8219274-ee68-416b-8489-4d2e635c7844 -version: 1.0.4 +version: 1.0.5 description: | Identifies manipulation of the thread context from unbacked memory region. This may be indicative of process injection. @@ -13,14 +13,14 @@ labels: technique.ref: https://attack.mitre.org/techniques/T1055/ condition: > - set_thread_context and thread.callstack.summary imatches ('ntdll.dll|kernelbase.dll|unbacked') - and + set_thread_context and + thread.callstack.summary imatches ('ntdll.dll|kernelbase.dll|unbacked') and ps.exe not imatches - ( - '?:\\Program Files\\Git\\mingw64\\bin\\git.exe', - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe', - '?:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe', - '?:\\Windows\\System32\\taskhostw.exe' - ) + ( + '?:\\Program Files\\Git\\mingw64\\bin\\git.exe', + '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe', + '?:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe', + '?:\\Windows\\System32\\taskhostw.exe' + ) min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml index 90be228aa..9882138d8 100644 --- a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml +++ b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml @@ -1,6 +1,6 @@ name: Unsigned DLL injection via remote thread id: 21bdd944-3bda-464b-9a72-58fd37ba9163 -version: 1.1.3 +version: 1.1.4 description: | Identifies unsigned DLL injection via remote thread creation. Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses @@ -22,27 +22,24 @@ references: condition: > sequence maxspan 1m - |create_remote_thread and thread.start_address.symbol imatches ('LoadLibrary*', 'LdrLoadDLL*') and not (ps.exe imatches - ( - '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe' - ) - or - (ps.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.args intersects ('-k', 'DcomLaunch')) - or - (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior') - ) + |create_remote_thread and + thread.start_address.symbol imatches ('LoadLibrary*', 'LdrLoadDLL*') and + not (ps.exe imatches + ( + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe' + ) or + (ps.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.args intersects ('-k', 'DcomLaunch')) or + (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior')) | by thread.pid - |(load_unsigned_or_untrusted_dll) - and + |(load_unsigned_or_untrusted_dll) and image.path not imatches - ( - '?:\\Program Files\\Git\\mingw64\\bin\\*.dll', - '?:\\Windows\\assembly\\*\\*.ni.dll', - '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll', - '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll' - ) - and + ( + '?:\\Program Files\\Git\\mingw64\\bin\\*.dll', + '?:\\Windows\\assembly\\*\\*.ni.dll', + '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll', + '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll' + ) and ps.exe not imatches '?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\Updates\\*\\OfficeClickToRun.exe' | by ps.pid diff --git a/rules/defense_evasion_windows_defender_protection_tampering_via_registry.yml b/rules/defense_evasion_windows_defender_protection_tampering_via_registry.yml index e7df57e36..c5b92c42c 100644 --- a/rules/defense_evasion_windows_defender_protection_tampering_via_registry.yml +++ b/rules/defense_evasion_windows_defender_protection_tampering_via_registry.yml @@ -1,6 +1,6 @@ name: Windows Defender protection tampering via registry id: 47ad962b-be0f-44f8-9467-34109f41e5ff -version: 1.0.1 +version: 1.0.2 description: | Detects suspicious processes modifying Windows Defender configuration settings via registry to disable protection features. @@ -18,43 +18,40 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker condition: > - set_value - and - ((base(registry.path) iin - ( - 'DisableAntiSpyware', - 'DisableAntiVirus', - 'DisableBehaviorMonitoring', - 'DisableBlockAtFirstSeen', - 'DisableEnhancedNotifications', - 'DisableIntrusionPreventionSystem', - 'DisableIOAVProtection', - 'DisableOnAccessProtection', - 'DisableRealtimeMonitoring', - 'DisableScanOnRealtimeEnable', - 'DisableScriptScanning', - 'DisableArchiveScanning', - 'DisableRawWriteNotification' - ) and registry.value = 1) - or + set_value and + ((base(registry.path) iin + ( + 'DisableAntiSpyware', + 'DisableAntiVirus', + 'DisableBehaviorMonitoring', + 'DisableBlockAtFirstSeen', + 'DisableEnhancedNotifications', + 'DisableIntrusionPreventionSystem', + 'DisableIOAVProtection', + 'DisableOnAccessProtection', + 'DisableRealtimeMonitoring', + 'DisableScanOnRealtimeEnable', + 'DisableScriptScanning', + 'DisableArchiveScanning', + 'DisableRawWriteNotification' + ) and registry.data = '1') or (registry.path imatches - ( - '*\\Windows Defender\\Spynet\\SpyNetReporting', - '*\\Windows Defender\\Spynet\\SubmitSamplesConsent', - '*\\DisallowExploitProtectionOverride', - '*\\Windows Defender\\Features\\TamperProtection', - '*\\Windows Defender\\MpEngine\\MpEnablePus' - ) and registry.value = 0 + ( + '*\\Windows Defender\\Spynet\\SpyNetReporting', + '*\\Windows Defender\\Spynet\\SubmitSamplesConsent', + '*\\DisallowExploitProtectionOverride', + '*\\Windows Defender\\Features\\TamperProtection', + '*\\Windows Defender\\MpEngine\\MpEnablePus' + ) and registry.data = '0' ) - ) - and + ) and ps.exe not imatches - ( - '?:\\Program Files\\Symantec\\Symantec Endpoint Protection\\sepWscSvc64.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\ConfigSecurityPolicy.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\NisSrv.exe' - ) + ( + '?:\\Program Files\\Symantec\\Symantec Endpoint Protection\\sepWscSvc64.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\ConfigSecurityPolicy.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\NisSrv.exe' + ) action: - name: kill diff --git a/rules/initial_access_executable_file_creation_from_macro_enabled_microsoft_office_document.yml b/rules/initial_access_executable_file_creation_from_macro_enabled_microsoft_office_document.yml index 7df2d39e9..90a505d58 100644 --- a/rules/initial_access_executable_file_creation_from_macro_enabled_microsoft_office_document.yml +++ b/rules/initial_access_executable_file_creation_from_macro_enabled_microsoft_office_document.yml @@ -1,6 +1,6 @@ name: Executable file creation from a macro-enabled Microsoft Office document id: fffcce75-2427-406e-9597-1f49b0c9ad5b -version: 1.0.2 +version: 1.0.3 description: | Identifies the Microsoft Office process writing an executable file type and the call stack reveals the file creation was originated from the Microsoft @@ -18,16 +18,14 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/ condition: > - create_file and ps.name in msoffice_binaries - and - thread.callstack.modules imatches 'vbe?.dll' - and + create_file and + ps.name in msoffice_binaries and + thread.callstack.modules imatches 'vbe?.dll' and ( file.extension iin ('.vbs', '.js', '.jar', '.exe', '.dll', '.com', '.ps1', '.hta', '.cmd', '.vbe', '.rar.', '.zip', '.iso', '.img', '.wsh', '.bat', '.cpl', '.7z' - ) - or + ) or (file.is_exec or file.is_dll) ) diff --git a/rules/initial_access_macro_execution_via_script_interpreter.yml b/rules/initial_access_macro_execution_via_script_interpreter.yml index 3bff927a8..7bb810604 100644 --- a/rules/initial_access_macro_execution_via_script_interpreter.yml +++ b/rules/initial_access_macro_execution_via_script_interpreter.yml @@ -1,6 +1,6 @@ name: Macro execution via script interpreter id: 845404de-df6f-472f-bd74-72148a7f5166 -version: 1.0.4 +version: 1.0.5 description: | Identifies the execution of the Windows scripting interpreter spawning a Microsoft Office process to execute suspicious Visual Basic macro. @@ -19,12 +19,9 @@ condition: > sequence maxspan 5m |spawn_process and ps.name iin script_interpreters and ps.child.name iin msoffice_binaries| by ps.child.uuid - |ps.name iin msoffice_binaries and thread.callstack.modules imatches '*vbe?.dll' - and - (spawn_process or (create_remote_thread) or (modify_registry) or (create_file) - or - (load_module and image.path not imatches ('?:\\Program Files\\*', '?:\\Program Files (x86)\\*')) - ) + |ps.name iin msoffice_binaries and thread.callstack.modules imatches '*vbe?.dll' and + (spawn_process or (create_remote_thread) or (modify_registry) or (create_file) or + (load_module and image.path not imatches ('?:\\Program Files\\*', '?:\\Program Files (x86)\\*'))) | by ps.uuid min-engine-version: 3.0.0 diff --git a/rules/initial_access_microsoft_office_file_execution_via_script_interpreter.yml b/rules/initial_access_microsoft_office_file_execution_via_script_interpreter.yml index 6b4edea27..30ff38a87 100644 --- a/rules/initial_access_microsoft_office_file_execution_via_script_interpreter.yml +++ b/rules/initial_access_microsoft_office_file_execution_via_script_interpreter.yml @@ -1,6 +1,6 @@ name: Microsoft Office file execution via script interpreter id: bf3ea547-1470-4bcc-9945-3b495d962c2c -version: 1.0.1 +version: 1.0.2 description: | Identifies the execution via Windows script interpreter of the executable file written by the Microsoft Office process. @@ -18,12 +18,16 @@ labels: condition: > sequence maxspan 2m - |create_file and ps.name iin msoffice_binaries and (file.extension iin ('.exe', '.com', '.scr', '.pif', '.bat') or file.is_exec = true)| by file.path - |spawn_process and ps.name iin script_interpreters and ps.child.exe not imatches - ( - '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe' - ) + |create_file and + ps.name iin msoffice_binaries and (file.extension iin ('.exe', '.com', '.scr', '.pif', '.bat') or file.is_exec = true) + | by file.path + |spawn_process and + ps.name iin script_interpreters and + ps.child.exe not imatches + ( + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe' + ) | by ps.child.exe action: - name: kill diff --git a/rules/initial_access_microsoft_office_file_execution_via_wmi.yml b/rules/initial_access_microsoft_office_file_execution_via_wmi.yml index 35cb21c15..772ecf976 100644 --- a/rules/initial_access_microsoft_office_file_execution_via_wmi.yml +++ b/rules/initial_access_microsoft_office_file_execution_via_wmi.yml @@ -1,6 +1,6 @@ name: Microsoft Office file execution via WMI id: 50f6efa2-4d7b-4fb7-b1a9-65c3a24d9152 -version: 1.0.1 +version: 1.0.2 description: | Identifies the execution via Windows Management Instrumentation (WMI) of the binary file written by the Microsoft Office process. Attackers can exploit WMI to silently execute malicious code. @@ -20,7 +20,9 @@ references: condition: > sequence maxspan 2m - |create_file and ps.name iin msoffice_binaries and (file.extension iin ('.exe', '.com') or file.is_exec = true)| by file.path + |create_file and + ps.name iin msoffice_binaries and (file.extension iin ('.exe', '.com') or file.is_exec = true) + | by file.path |spawn_process and ps.name ~= 'wmiprvse.exe'| by ps.child.exe action: - name: kill diff --git a/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml b/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml index 65ef03f2d..c1f10c180 100644 --- a/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml +++ b/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml @@ -1,6 +1,6 @@ name: Potential ClickFix infection chain via Run window id: ffe1fc54-2893-4760-ab50-51a83bd71d13 -version: 1.0.2 +version: 1.0.3 description: | Identifies the execution of the process via the Run command dialog box followed by spawning of the potential infostealer process. @@ -21,23 +21,22 @@ references: condition: > sequence maxspan 2m - |spawn_process and ps.name ~= 'explorer.exe' and length(ps.child.args) >= 2 - and - (thread.callstack.summary imatches - ( - 'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*', - 'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*' - ) - or + |spawn_process and + ps.name ~= 'explorer.exe' and length(ps.child.args) >= 2 and + (thread.callstack.summary imatches + ( + 'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*', + 'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*' + ) or (thread.callstack.summary imatches '*shell32.dll|explorer.exe|*' and thread.callstack.symbols imatches ('*shell32.dll!GetFileNameFromBrowse*')) ) | by ps.child.uuid - |spawn_process and ps.child.exe not imatches - ( - '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe', - '?:\\Windows\\System32\\*.exe' - ) + |spawn_process and ps.child.exe not imatches + ( + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe', + '?:\\Windows\\System32\\*.exe' + ) | by ps.uuid action: - name: kill diff --git a/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml b/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml index 1c3a4e573..a4b863e9f 100644 --- a/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml +++ b/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml @@ -1,6 +1,6 @@ name: Process spawned from macro-enabled Microsoft Office document id: 47521206-e19d-4608-9dbc-dc3a1df99db5 -version: 1.0.3 +version: 1.0.4 description: | Identifies the execution of the child process spawned by Microsoft Office parent process where the call stack contains the Visual Basic @@ -18,27 +18,25 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/ condition: > - spawn_process and ps.name iin msoffice_binaries - and + spawn_process and + ps.name iin msoffice_binaries and ( - thread.callstack.modules imatches ('*vbe?.dll') - or + thread.callstack.modules imatches ('*vbe?.dll') or thread.callstack.symbols imatches - ( - '*!xlAutoOpen*', - '*!wlAutoOpen*', - '*!wdAutoOpen*', - 'kernel32.dll!WinExec*', - 'shell32.dll!ShellExecute*' - ) - ) - and + ( + '*!xlAutoOpen*', + '*!wlAutoOpen*', + '*!wdAutoOpen*', + 'kernel32.dll!WinExec*', + 'shell32.dll!ShellExecute*' + ) + ) and ps.child.exe not imatches - ( - '?:\\Windows\\explorer.exe', - '?:\\Windows\\hh.exe', - '?:\\Windows\\System32\\spool\\drivers\\*', - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe' - ) + ( + '?:\\Windows\\explorer.exe', + '?:\\Windows\\hh.exe', + '?:\\Windows\\System32\\spool\\drivers\\*', + '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe' + ) min-engine-version: 3.0.0 diff --git a/rules/initial_access_suspicious_dll_loaded_by_microsoft_office_process.yml b/rules/initial_access_suspicious_dll_loaded_by_microsoft_office_process.yml index 93324020f..47d7ab1a9 100644 --- a/rules/initial_access_suspicious_dll_loaded_by_microsoft_office_process.yml +++ b/rules/initial_access_suspicious_dll_loaded_by_microsoft_office_process.yml @@ -1,6 +1,6 @@ name: Suspicious DLL loaded by Microsoft Office process id: 5868518c-2a83-4b26-ad4b-f14f0b85e744 -version: 1.0.2 +version: 1.0.3 description: Identifies loading of recently dropped DLL by Microsoft Office process. labels: @@ -17,8 +17,8 @@ labels: condition: > sequence maxspan 1h - |create_file and (file.extension iin module_extensions or file.is_dll) and ps.name iin msoffice_binaries - and + |create_file and + (file.extension iin module_extensions or file.is_dll) and ps.name iin msoffice_binaries and file.path not imatches '?:\\Program Files\\Microsoft Office\\Root\\Office*\\*.dll' | by file.name |load_module and ps.name iin msoffice_binaries| by image.name diff --git a/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml b/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml index ff97c4942..ef510993d 100644 --- a/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml +++ b/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml @@ -1,6 +1,6 @@ name: Suspicious execution via WMI from a Microsoft Office process id: cc3f0bbe-ec53-40a7-9eed-f0a8a3f7d7fa -version: 1.0.1 +version: 1.0.2 description: | Identifies a suspicious process execution via Windows Management Instrumentation (WMI) originated from the Microsoft Office process loading an unusual WMI DLL. This technique @@ -23,69 +23,66 @@ references: condition: > sequence maxspan 1m - |load_dll and image.name iin ('wmiclnt.dll', 'wbemcomn.dll', 'wmiprov.dll', 'wbemprox.dll', 'wmutils.dll', 'fastprox.dll', 'WMINet_Utils.dll') - and + |load_dll and + image.name iin ('wmiclnt.dll', 'wbemcomn.dll', 'wmiprov.dll', 'wbemprox.dll', 'wmutils.dll', 'fastprox.dll', 'WMINet_Utils.dll') and (ps.name iin msoffice_binaries or thread.callstack.modules imatches ('*vbe?.dll')) | by ps.sid - |spawn_process and ps.name iin ('wmiprvse.exe', 'wmiapsrv.exe') and (ps.child.exe imatches ('?:\\Users\\*.exe', '?:\\ProgramData\\*.exe') - or - ps.child.name iin - ( - 'rundll32.exe', - 'regsvr32.exe', - 'hh.exe', - 'cmd.exe', - 'pwsh.exe', - 'powershell.exe', - 'mshta.exe', - 'certutil.exe', - 'bitsadmin.exe', - 'cscript.exe', - 'wscript.exe', - 'jsc.exe', - 'vssadmin.exe', - 'curl.exe', - 'wget.exe', - 'sc.exe', - 'reg.exe', - 'schtasks.exe', - 'msxsl.exe', - 'msbuild.exe', - 'regasm.exe', - 'regsvcs.exe', - 'wmic.exe', - 'msiexec.exe' - ) - or - ps.child.pe.file.name iin - ( - 'rundll32.exe', - 'regsvr32.exe', - 'hh.exe', - 'cmd.exe', - 'pwsh.exe', - 'powershell.exe', - 'mshta.exe', - 'certutil.exe', - 'bitsadmin.exe', - 'cscript.exe', - 'wscript.exe', - 'jsc.exe', - 'vssadmin.exe', - 'curl.exe', - 'wget.exe', - 'sc.exe', - 'reg.exe', - 'schtasks.exe', - 'msxsl.exe', - 'msbuild.exe', - 'regasm.exe', - 'regsvcs.exe', - 'wmic.exe', - 'msiexec.exe' - ) - ) - | by ps.child.sid + |spawn_process and + ps.name iin ('wmiprvse.exe', 'wmiapsrv.exe') and (ps.child.exe imatches ('?:\\Users\\*.exe', '?:\\ProgramData\\*.exe') or + ps.child.name iin + ( + 'rundll32.exe', + 'regsvr32.exe', + 'hh.exe', + 'cmd.exe', + 'pwsh.exe', + 'powershell.exe', + 'mshta.exe', + 'certutil.exe', + 'bitsadmin.exe', + 'cscript.exe', + 'wscript.exe', + 'jsc.exe', + 'vssadmin.exe', + 'curl.exe', + 'wget.exe', + 'sc.exe', + 'reg.exe', + 'schtasks.exe', + 'msxsl.exe', + 'msbuild.exe', + 'regasm.exe', + 'regsvcs.exe', + 'wmic.exe', + 'msiexec.exe' + ) or + ps.child.pe.file.name iin + ( + 'rundll32.exe', + 'regsvr32.exe', + 'hh.exe', + 'cmd.exe', + 'pwsh.exe', + 'powershell.exe', + 'mshta.exe', + 'certutil.exe', + 'bitsadmin.exe', + 'cscript.exe', + 'wscript.exe', + 'jsc.exe', + 'vssadmin.exe', + 'curl.exe', + 'wget.exe', + 'sc.exe', + 'reg.exe', + 'schtasks.exe', + 'msxsl.exe', + 'msbuild.exe', + 'regasm.exe', + 'regsvcs.exe', + 'wmic.exe', + 'msiexec.exe' + ))| by ps.child.sid output: > Suspicious process %2.ps.child.exe launched via WMI from Microsoft Office process %1.ps.cmdline diff --git a/rules/initial_access_suspicious_microsoft_office_embedded_object.yml b/rules/initial_access_suspicious_microsoft_office_embedded_object.yml index 2e4fc722e..9eea0e0ee 100644 --- a/rules/initial_access_suspicious_microsoft_office_embedded_object.yml +++ b/rules/initial_access_suspicious_microsoft_office_embedded_object.yml @@ -1,6 +1,6 @@ name: Suspicious Microsoft Office embedded object id: 47368d49-1192-4059-9c55-6bbc4fd1a73a -version: 1.0.2 +version: 1.0.3 description: | Identifies Microsoft Office processes dropping a file with suspicious extension and with the call stack indicating operations to save or load @@ -17,14 +17,11 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/ condition: > - create_file and ps.name iin msoffice_binaries - and - thread.callstack.symbols imatches ('*!OleSaveStream*', '*!OleLoad*', '*!OleCreate*') - and + create_file and + ps.name iin msoffice_binaries and + thread.callstack.symbols imatches ('*!OleSaveStream*', '*!OleLoad*', '*!OleCreate*') and ( - file.extension iin ('.exe', '.dll', '.js', '.vbs', '.vbe', '.jse', '.url', '.chm', '.bat', '.mht', '.hta', '.search-ms') - or - (file.is_exec or file.is_dll) + file.extension iin ('.exe', '.dll', '.js', '.vbs', '.vbe', '.jse', '.url', '.chm', '.bat', '.mht', '.hta', '.search-ms') or (file.is_exec or file.is_dll) ) min-engine-version: 3.0.0 diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml index 5af256764..ea4558d0a 100644 --- a/rules/macros/macros.yml +++ b/rules/macros/macros.yml @@ -108,16 +108,14 @@ - macro: inbound_network expr: > - (recv_socket or accept_socket) - and + (recv_socket or accept_socket) and ((net.sip != 0.0.0.0 or net.dip != 0.0.0.0) and (net.sip not in ('0:0:0:0:0:0:0:1', '::1') or net.dip not in ('0:0:0:0:0:0:0:1', '::1')) and not (cidr_contains(net.sip, '127.0.0.0/8') or cidr_contains(net.dip, '127.0.0.0/8'))) description: | Detects inbound network traffic excluding source/destination loopback addresses/address spaces. - macro: outbound_network expr: > - (send_socket or connect_socket) - and + (send_socket or connect_socket) and (net.dip != 0.0.0.0 and net.dip not in ('0:0:0:0:0:0:0:1', '::1') and not cidr_contains(net.dip, '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16')) description: | Detects outbound network traffic excluding unspecified destination IP addresses, @@ -125,8 +123,7 @@ - macro: load_driver expr: > - (load_module and (image.name iendswith '.sys' or image.is_driver)) - or + (load_module and (image.name iendswith '.sys' or image.is_driver)) or (create_handle and handle.type = 'Driver') description: | Detects the loading of the kernel driver. Image load events are published when @@ -161,16 +158,14 @@ - macro: load_untrusted_executable expr: > - load_executable - and + load_executable and (image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED') description: Detects when untrusted executable is loaded into process address space. - macro: load_untrusted_dll expr: > - load_dll - and + load_dll and (image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED') description: Detects when untrusted DLL is loaded into process address space. @@ -191,8 +186,7 @@ - macro: load_untrusted_module expr: > - load_module - and + load_module and (image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED') description: | Detects when untrusted executable or DLL is loaded into process address space. @@ -212,16 +206,14 @@ - macro: write_minidump_file expr: > - create_file - and + create_file and ( file.extension iin - ( - '.dmp', - '.mdmp', - '.dump' - ) - or + ( + '.dmp', + '.mdmp', + '.dump' + ) or is_minidump(file.path) ) description: | diff --git a/rules/persistence_executable_file_dropped_by_unsigned_service_dll.yml b/rules/persistence_executable_file_dropped_by_unsigned_service_dll.yml index 0334bbbea..bd531bc06 100644 --- a/rules/persistence_executable_file_dropped_by_unsigned_service_dll.yml +++ b/rules/persistence_executable_file_dropped_by_unsigned_service_dll.yml @@ -1,6 +1,6 @@ name: Executable file dropped by an unsigned service DLL id: 3e29da58-0fc4-44c0-91c0-0dfc6af87e9d -version: 1.0.1 +version: 1.0.2 description: | Identifies the loading of an unsigned DLL by svchost process followed by creating an executable file. Adversaries may rely on Windows Services to repeatedly execute malicious @@ -23,11 +23,10 @@ condition: > sequence maxspan 3m |load_unsigned_dll and ps.exe imatches ('?:\\Windows\\System32\\svchost.exe', '?:\\Windows\\SysWOW64\\svchost.exe')| as e1 - |create_file and evt.pid != 4 and ps.exe imatches ('?:\\Windows\\System32\\svchost.exe', '?:\\Windows\\SysWOW64\\svchost.exe') - and - (file.extension iin ('.exe', '.dll', '.com', '.js', '.vbs', '.cmd', '.bat', '.vbe') or file.is_exec or file.is_dll or file.is_driver) - and - thread.callstack.symbols iin (concat($e1.image.name, '!ServiceMain')) + |create_file and + evt.pid != 4 and ps.exe imatches ('?:\\Windows\\System32\\svchost.exe', '?:\\Windows\\SysWOW64\\svchost.exe') and + (file.extension iin ('.exe', '.dll', '.com', '.js', '.vbs', '.cmd', '.bat', '.vbe') or file.is_exec or file.is_dll or file.is_driver) and + thread.callstack.symbols iin (concat($e1.image.name, '!ServiceMain')) | output: > diff --git a/rules/persistence_hidden_local_account_creation.yml b/rules/persistence_hidden_local_account_creation.yml index 861ff93af..ff29780a2 100644 --- a/rules/persistence_hidden_local_account_creation.yml +++ b/rules/persistence_hidden_local_account_creation.yml @@ -1,6 +1,6 @@ name: Hidden local account creation id: bfa83754-3730-4c46-a0fd-cc71365f64df -version: 1.0.2 +version: 1.0.3 description: | Identifies the creation of a hidden local account. Adversaries can create hidden accounts by appending the dollar sign to the account name. This technique renders the account name hidden @@ -17,11 +17,12 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1136/001/ condition: > - modify_registry and registry.path imatches - ( - 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$', - 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$' - ) + modify_registry and + registry.path imatches + ( + 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$', + 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$' + ) severity: high diff --git a/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml b/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml index 742eaeb49..5da10923d 100644 --- a/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml +++ b/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml @@ -1,6 +1,6 @@ name: Network connection via startup folder executable or script id: 09b7278d-42e3-4792-9f00-dee38baecfad -version: 1.0.3 +version: 1.0.4 description: | Identifies the execution of unsigned binary or script from the Startup folder followed by network inbound or outbound connection. @@ -19,10 +19,8 @@ condition: > sequence maxspan 5m by ps.uuid - | - (load_untrusted_executable and image.path imatches startup_locations) - or - (load_executable and ps.name in script_interpreters and ps.cmdline imatches startup_locations) + |(load_untrusted_executable and image.path imatches startup_locations) or + (load_executable and ps.name in script_interpreters and ps.cmdline imatches startup_locations) | |((inbound_network) or (outbound_network)) and ps.cmdline imatches startup_locations| diff --git a/rules/persistence_potential_port_monitor_or_print_processor_persistence_via_registry_modification.yml b/rules/persistence_potential_port_monitor_or_print_processor_persistence_via_registry_modification.yml index a038d86aa..513268791 100644 --- a/rules/persistence_potential_port_monitor_or_print_processor_persistence_via_registry_modification.yml +++ b/rules/persistence_potential_port_monitor_or_print_processor_persistence_via_registry_modification.yml @@ -1,6 +1,6 @@ name: Potential port monitor or print processor persistence via registry modification id: de04ae6b-8141-41af-9baa-15630b5954cc -version: 1.0.1 +version: 1.0.2 description: | Identifies port monitor or print process registry modifications that would allow adversaries to run malicious DLLs during system boot. @@ -18,13 +18,13 @@ references: - https://www.ired.team/offensive-security/persistence/t1013-addmonitor condition: > - (modify_registry) and ps.sid != 'S-1-5-18' - and + (modify_registry) and + ps.sid != 'S-1-5-18' and registry.path imatches - ( - 'HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*', - 'HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*' - ) + ( + 'HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Monitors\\*', + 'HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Control\\Print\\Environments\\Windows*\\Print Processors\\*' + ) output: > Port monitor or print processor DLL registered under registry key %registry.path by process %ps.exe diff --git a/rules/persistence_rid_hijacking.yml b/rules/persistence_rid_hijacking.yml index f92afbfd6..06dacee45 100644 --- a/rules/persistence_rid_hijacking.yml +++ b/rules/persistence_rid_hijacking.yml @@ -1,6 +1,6 @@ name: RID Hijacking id: 5c25666a-4a9f-4b7c-b02f-db0b5cdbde83 -version: 1.0.3 +version: 1.0.4 description: | RID (Relative ID part of security identifier) hijacking allows an attacker with SYSTEM level privileges to covertly replace the RID of a low privileged account effectively making @@ -17,10 +17,9 @@ references: - https://www.ired.team/offensive-security/persistence/rid-hijacking condition: > - set_value and registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*\\F' - and - ps.sid in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') - and + set_value and + registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*\\F' and + ps.sid in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and ps.exe not imatches '?:\\Windows\\System32\\lsass.exe' min-engine-version: 3.0.0 diff --git a/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml b/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml index 116f84632..8fe860338 100644 --- a/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml +++ b/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml @@ -1,6 +1,6 @@ name: Script interpreter host or untrusted process persistence id: cc41ee3a-6e44-4903-85a4-0147ec6a7eea -version: 1.1.1 +version: 1.1.2 description: | Identifies the script interpreter or untrusted process writing to commonly abused run keys or the Startup folder locations. @@ -16,33 +16,26 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1547/001/ condition: > - (((modify_registry) or (create_file)) and evt.pid != 4) - and - (ps.name in script_interpreters or ps.parent.name in script_interpreters or pe.is_trusted = false) - and - (registry.path imatches registry_run_keys or file.path imatches startup_locations) - and - not - ( - ps.exe imatches - ( - '?:\\Windows\\explorer.exe', - '?:\\Windows\\System32\\services.exe', - '?:\\Windows\\System32\\svchost.exe', - '?:\\Windows\\System32\\msiexec.exe', - '?:\\Program Files*\\Google\\Chrome\\Application\\chrome.exe', - '?:\\Program Files*\\Mozilla Firefox\\firefox.exe', - '?:\\Program Files*\\Opera\\*\\opera.exe', - '?:\\Program Files*\\Microsoft\\Edge\\Application\\msedge.exe', - '?:\\Program Files\\Microsoft\\Edge\\Application\\*\\msedge.exe', - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\*\\msedge.exe', - '?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe', - '?:\\Program Files\\Google\\Drive File Stream\\*\\GoogleDriveFS.exe', - '?:\\Users\\*\\AppData\\Local\\Dropbox\\Dropbox.exe' - ) - or - (pe.is_signed = true and pe.cert.subject imatches '*Microsoft*') - ) + (((modify_registry) or (create_file)) and evt.pid != 4) and + (ps.name in script_interpreters or ps.parent.name in script_interpreters or pe.is_trusted = false) and + (registry.path imatches registry_run_keys or file.path imatches startup_locations) and + not (ps.exe imatches + ( + '?:\\Windows\\explorer.exe', + '?:\\Windows\\System32\\services.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\msiexec.exe', + '?:\\Program Files*\\Google\\Chrome\\Application\\chrome.exe', + '?:\\Program Files*\\Mozilla Firefox\\firefox.exe', + '?:\\Program Files*\\Opera\\*\\opera.exe', + '?:\\Program Files*\\Microsoft\\Edge\\Application\\msedge.exe', + '?:\\Program Files\\Microsoft\\Edge\\Application\\*\\msedge.exe', + '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\*\\msedge.exe', + '?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe', + '?:\\Program Files\\Google\\Drive File Stream\\*\\GoogleDriveFS.exe', + '?:\\Users\\*\\AppData\\Local\\Dropbox\\Dropbox.exe' + ) or + (pe.is_signed = true and pe.cert.subject imatches '*Microsoft*')) action: - name: kill diff --git a/rules/persistence_suspicious_microsoft_office_addin_loaded.yml b/rules/persistence_suspicious_microsoft_office_addin_loaded.yml index a477e205a..5b9bdbb92 100644 --- a/rules/persistence_suspicious_microsoft_office_addin_loaded.yml +++ b/rules/persistence_suspicious_microsoft_office_addin_loaded.yml @@ -1,6 +1,6 @@ name: Suspicious Microsoft Office add-in loaded id: fe4daff8-d8aa-48d3-bf09-a9d868375a3c -version: 1.0.1 +version: 1.0.2 description: | Identifies attempts to load unsigned executables from known Microsoft Office add-ins directories, which adversaries may exploit to maintain persistence. @@ -15,15 +15,15 @@ references: - https://github.com/3gstudent/Office-Persistence/blob/master/OfficePersistence.ps1 condition: > - (load_unsigned_or_untrusted_module) and ps.name iin ('excel.exe', 'winword.exe', 'outlook.exe', 'powerpnt.exe') - and + (load_unsigned_or_untrusted_module) and + ps.name iin ('excel.exe', 'winword.exe', 'outlook.exe', 'powerpnt.exe') and image.path imatches - ( - '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*', - '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*', - '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*', - '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\*' - ) + ( + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\*' + ) output: Microsoft Office process %ps.name loaded a suspicious add-in %image.path diff --git a/rules/persistence_suspicious_microsoft_office_template.yml b/rules/persistence_suspicious_microsoft_office_template.yml index d81f77fcb..6ea6e9394 100644 --- a/rules/persistence_suspicious_microsoft_office_template.yml +++ b/rules/persistence_suspicious_microsoft_office_template.yml @@ -1,6 +1,6 @@ name: Suspicious Microsoft Office template id: c4be3b30-9d23-4a33-b974-fb12e17487a2 -version: 1.0.3 +version: 1.0.4 description: | Detects when attackers drop macro-enabled files in specific folders to trigger their execution every time the victim user @@ -19,24 +19,21 @@ references: - https://cyberint.com/blog/research/office-templates-and-globaldotname-a-stealthy-office-persistence-technique/ condition: > - create_file - and + create_file and file.path imatches - ( - '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*', - '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Templates\\*.dotm', - '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*', - '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*', - '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\*.otm' - ) - and - ps.name not iin msoffice_binaries - and + ( + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Templates\\*.dotm', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\*.otm' + ) and + ps.name not iin msoffice_binaries and ps.exe not imatches - ( - '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe' - ) + ( + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe' + ) output: > Office template %file.path created by suspicious process %ps.exe diff --git a/rules/persistence_suspicious_netsh_helper_dll_execution.yml b/rules/persistence_suspicious_netsh_helper_dll_execution.yml index af960b681..882cd9e11 100644 --- a/rules/persistence_suspicious_netsh_helper_dll_execution.yml +++ b/rules/persistence_suspicious_netsh_helper_dll_execution.yml @@ -1,6 +1,6 @@ name: Suspicious Netsh Helper DLL execution id: bd17781d-38ca-4b9a-a12a-f807a1eb45e0 -version: 1.0.1 +version: 1.0.2 description: | Identifies the execution of a suspicious Netsh Helper DLL. Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe is a command-line scripting @@ -23,9 +23,11 @@ references: condition: > sequence maxspan 1m - |spawn_process and (ps.child.name ~= 'netsh.exe' or ps.child.pe.file.name ~= 'netsh.exe')| by ps.child.uuid - |create_thread and foreach(thread._callstack, $frame, $frame.symbol imatches '*!InitHelperDll' - and ($frame.module.signature.is_signed = false or $frame.module.signature.is_trusted = false)) + |spawn_process and + (ps.child.name ~= 'netsh.exe' or ps.child.pe.file.name ~= 'netsh.exe') + | by ps.child.uuid + |create_thread and + foreach(thread._callstack, $frame, $frame.symbol imatches '*!InitHelperDll' and ($frame.module.signature.is_signed = false or $frame.module.signature.is_trusted = false)) | by ps.uuid output: > diff --git a/rules/persistence_suspicious_persistence_via_registry_modification.yml b/rules/persistence_suspicious_persistence_via_registry_modification.yml index 4a15b2a3e..f2189f6d8 100644 --- a/rules/persistence_suspicious_persistence_via_registry_modification.yml +++ b/rules/persistence_suspicious_persistence_via_registry_modification.yml @@ -1,6 +1,6 @@ name: Suspicious persistence via registry modification id: 1f496a17-4f0c-491a-823b-7a70adb9919c -version: 1.0.3 +version: 1.0.4 description: | Adversaries may abuse the registry to achieve persistence by modifying the keys that are unlikely modified by legitimate @@ -17,16 +17,12 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1547/001/ condition: > - modify_registry - and + modify_registry and ( - (ps.name in script_interpreters or ps.name in ('reg.exe', 'rundll32.exe', 'regsvr32.exe')) - or - ps.exe imatches '?:\\Users\\Public\\*' - or + (ps.name in script_interpreters or ps.name in ('reg.exe', 'rundll32.exe', 'regsvr32.exe')) or + ps.exe imatches '?:\\Users\\Public\\*' or pe.is_signed = false or pe.is_trusted = false - ) - and + ) and registry.path imatches registry_persistence_keys min-engine-version: 3.0.0 diff --git a/rules/persistence_suspicious_port_monitor_loaded.yml b/rules/persistence_suspicious_port_monitor_loaded.yml index 8e3b4cffc..aec3c4195 100644 --- a/rules/persistence_suspicious_port_monitor_loaded.yml +++ b/rules/persistence_suspicious_port_monitor_loaded.yml @@ -1,6 +1,6 @@ name: Suspicious port monitor loaded id: d6ab6bfa-1a97-46cb-a69a-7a6c98a699f1 -version: 1.0.2 +version: 1.0.3 description: | Identifies the loading of an unsigned DLL by the print spool service. Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. @@ -18,8 +18,8 @@ references: - https://www.ired.team/offensive-security/persistence/t1013-addmonitor condition: > - (load_unsigned_or_untrusted_dll) and ps.name ~= 'spoolsv.exe' - and + (load_unsigned_or_untrusted_dll) and + ps.name ~= 'spoolsv.exe' and thread.callstack.symbols imatches ('localspl.dll!SplAddMonitor*', 'spoolsv.exe!PrvAddMonitor*') min-engine-version: 3.0.0 diff --git a/rules/persistence_suspicious_print_processor_loaded.yml b/rules/persistence_suspicious_print_processor_loaded.yml index 643d8475c..8dcc7e2db 100644 --- a/rules/persistence_suspicious_print_processor_loaded.yml +++ b/rules/persistence_suspicious_print_processor_loaded.yml @@ -1,6 +1,6 @@ name: Suspicious print processor loaded id: 3e0f5ef7-8a0a-4604-b2bf-d09606f45483 -version: 1.0.1 +version: 1.0.2 description: | Identifies when the print spooler service loads unsigned or untrusted DLL and the callstack pattern indicates the print processor is loaded. Adversaries may abuse print processors to run malicious DLLs @@ -19,10 +19,9 @@ references: - https://stmxcsr.com/persistence/print-processor.html condition: > - (load_unsigned_or_untrusted_dll) and ps.name ~= 'spoolsv.exe' - and - thread.callstack.summary imatches 'ntdll.dll|KernelBase.dll|localspl.dll|spoolsv.exe|kernel32.dll|ntdll.dll' - and + (load_unsigned_or_untrusted_dll) and + ps.name ~= 'spoolsv.exe' and + thread.callstack.summary imatches 'ntdll.dll|KernelBase.dll|localspl.dll|spoolsv.exe|kernel32.dll|ntdll.dll' and thread.callstack.symbols imatches ('localspl.dll!SplSetPrinterData') and thread.callstack.symbols not imatches ('KernelBase.dll!RegisterGPNotificationInternal') output: > diff --git a/rules/persistence_suspicious_startup_shell_folder_modification.yml b/rules/persistence_suspicious_startup_shell_folder_modification.yml index 92dfde71b..d98e6c5ee 100644 --- a/rules/persistence_suspicious_startup_shell_folder_modification.yml +++ b/rules/persistence_suspicious_startup_shell_folder_modification.yml @@ -1,6 +1,6 @@ name: Suspicious Startup shell folder modification id: 7a4082f6-f7e3-49bd-9514-dbc8dd4e68ad -version: 1.0.3 +version: 1.0.4 description: | Detects when adversaries attempt to modify the default Startup folder path to to circumvent runtime rules that hunt for file @@ -17,13 +17,9 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1547/001/ condition: > - modify_registry and registry.path imatches startup_shell_folder_registry_keys - and - not - ( - registry.value imatches startup_locations - or - registry.value imatches ('%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup') - ) + modify_registry and + registry.path imatches startup_shell_folder_registry_keys and + not (registry.data imatches startup_locations or + registry.data imatches ('%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup')) min-engine-version: 3.0.0 diff --git a/rules/persistence_unusual_file_written_in_startup_folder.yml b/rules/persistence_unusual_file_written_in_startup_folder.yml index 6faa930e8..7d6934f9f 100644 --- a/rules/persistence_unusual_file_written_in_startup_folder.yml +++ b/rules/persistence_unusual_file_written_in_startup_folder.yml @@ -1,6 +1,6 @@ name: Unusual file written in Startup folder id: c5ffe15c-d94f-416b-bec7-c47f89843267 -version: 1.0.3 +version: 1.0.4 description: | Identifies suspicious files written to the startup folder that would allow adversaries to maintain persistence on the endpoint. @@ -16,23 +16,16 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1547/001/ condition: > - create_file - and - ( - file.extension in ('.vbs', '.js', '.jar', '.exe', '.dll', '.com', '.ps1', '.hta', '.cmd', '.vbe') - or - (file.is_exec or file.is_dll) - ) - and - file.path imatches startup_locations - and + create_file and + (file.extension in ('.vbs', '.js', '.jar', '.exe', '.dll', '.com', '.ps1', '.hta', '.cmd', '.vbe') or (file.is_exec or file.is_dll)) and + file.path imatches startup_locations and ps.exe not imatches - ( - '?:\\Windows\\System32\\wuauclt.exe', - '?:\\Windows\\System32\\msiexec.exe', - '?:\\Windows\\SysWOW64\\msiexec.exe', - '?:\\Windows\\System32\\svchost.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*.exe' - ) + ( + '?:\\Windows\\System32\\wuauclt.exe', + '?:\\Windows\\System32\\msiexec.exe', + '?:\\Windows\\SysWOW64\\msiexec.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*.exe' + ) min-engine-version: 3.0.0 diff --git a/rules/persistence_unusual_process_modified_registry_run_key.yml b/rules/persistence_unusual_process_modified_registry_run_key.yml index b7d4d54a2..5d263cb89 100644 --- a/rules/persistence_unusual_process_modified_registry_run_key.yml +++ b/rules/persistence_unusual_process_modified_registry_run_key.yml @@ -1,6 +1,6 @@ name: Unusual process modified registry run key id: 921508a5-b627-4c02-a295-6c6863c0897b -version: 1.0.5 +version: 1.0.6 description: | Identifies an attempt by unusual Windows native processes to modify the run key and gain persistence on users logons or machine reboots. @@ -16,32 +16,31 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1547/001/ condition: > - modify_registry and ps.exe imatches '?:\\Windows\\*' - and - registry.path imatches registry_run_keys - and + modify_registry and + ps.exe imatches '?:\\Windows\\*' and + registry.path imatches registry_run_keys and ps.exe not imatches - ( - '?:\\Windows\\System32\\svchost.exe', - '?:\\Windows\\SysWOW64\\msiexec.exe', - '?:\\Windows\\System32\\msiexec.exe', - '?:\\Windows\\System32\\drvinst.exe', - '?:\\Windows\\System32\\WinSAT.exe', - '?:\\Windows\\System32\\reg.exe', - '?:\\Windows\\regedit.exe', - '?:\\Windows\\SysWOW64\\reg.exe', - '?:\\Windows\\System32\\csrss.exe', - '?:\\Windows\\SysWOW64\\DriverStore\\*.exe', - '?:\\Windows\\System32\\DriverStore\\*.exe', - '?:\\Windows\\Installer\\*.exe', - '?:\\Windows\\explorer.exe', - '?:\\Windows\\IMECache\\*.exe', - '?:\\Windows\\System32\\sihost.exe', - '?:\\Windows\\SysWOW64\\prevhost.exe', - '?:\\Windows\\System32\\conhost.exe', - '?:\\Windows\\System32\\taskhostw.exe', - '?:\\Windows\\System32\\backgroundTaskHost.exe', - '?:\\Windows\\System32\\CompatTelRunner.exe' - ) + ( + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\SysWOW64\\msiexec.exe', + '?:\\Windows\\System32\\msiexec.exe', + '?:\\Windows\\System32\\drvinst.exe', + '?:\\Windows\\System32\\WinSAT.exe', + '?:\\Windows\\System32\\reg.exe', + '?:\\Windows\\regedit.exe', + '?:\\Windows\\SysWOW64\\reg.exe', + '?:\\Windows\\System32\\csrss.exe', + '?:\\Windows\\SysWOW64\\DriverStore\\*.exe', + '?:\\Windows\\System32\\DriverStore\\*.exe', + '?:\\Windows\\Installer\\*.exe', + '?:\\Windows\\explorer.exe', + '?:\\Windows\\IMECache\\*.exe', + '?:\\Windows\\System32\\sihost.exe', + '?:\\Windows\\SysWOW64\\prevhost.exe', + '?:\\Windows\\System32\\conhost.exe', + '?:\\Windows\\System32\\taskhostw.exe', + '?:\\Windows\\System32\\backgroundTaskHost.exe', + '?:\\Windows\\System32\\CompatTelRunner.exe' + ) min-engine-version: 3.0.0 diff --git a/rules/privilege_escalation_potential_privilege_escalation_via_phantom_dll_hijacking.yml b/rules/privilege_escalation_potential_privilege_escalation_via_phantom_dll_hijacking.yml index 222d7e9f9..95065aafe 100644 --- a/rules/privilege_escalation_potential_privilege_escalation_via_phantom_dll_hijacking.yml +++ b/rules/privilege_escalation_potential_privilege_escalation_via_phantom_dll_hijacking.yml @@ -1,6 +1,6 @@ name: Potential privilege escalation via phantom DLL hijacking id: 5ccdb5c2-3a30-4e14-87d2-d7aeb4c45fad -version: 1.0.4 +version: 1.0.5 description: | Identifies the loading of the phantom DLL that was previously dropped to the System directory. Adversaries may exploit this flow to escalate @@ -27,34 +27,34 @@ references: condition: > sequence maxspan 10m - |create_file and evt.pid != 4 and file.path imatches - ( - '?:\\Windows\\System32\\wow64log.dll', - '?:\\Windows\\wbemcomn.dll', - '?:\\Windows\\System\\Ualapi.dll', - '?:\\Windows\\System32\\EdgeGdi.dll', - '?:\\Windows\\*\\wbem\\wbemcomn.dll', - '?:\\Windows\\System32\\WindowsPowerShell\\*\\wbemcomn.dll', - '?:\\Windows\\*\\Ualapi.dll', - '?:\\Windows\\System32\\spool\\drivers\\x64\\PrintConfig.dll', - '?:\\Windows\\System32\\wlbsctrl.dll', - '?:\\Windows\\System32\\Tsmsisrv.dll', - '?:\\Windows\\System32\\TSVIPSrv.dll', - '?:\\Windows\\System32\\fveapi.dll', - '?:\\Windows\\System32\\Speech\\Engines\\TTS\\MSTTSLocEnUS.dll', - '?:\\Windows\\System32\\DXGIDebug.dll' - ) - and + |create_file and evt.pid != 4 and + file.path imatches + ( + '?:\\Windows\\System32\\wow64log.dll', + '?:\\Windows\\wbemcomn.dll', + '?:\\Windows\\System\\Ualapi.dll', + '?:\\Windows\\System32\\EdgeGdi.dll', + '?:\\Windows\\*\\wbem\\wbemcomn.dll', + '?:\\Windows\\System32\\WindowsPowerShell\\*\\wbemcomn.dll', + '?:\\Windows\\*\\Ualapi.dll', + '?:\\Windows\\System32\\spool\\drivers\\x64\\PrintConfig.dll', + '?:\\Windows\\System32\\wlbsctrl.dll', + '?:\\Windows\\System32\\Tsmsisrv.dll', + '?:\\Windows\\System32\\TSVIPSrv.dll', + '?:\\Windows\\System32\\fveapi.dll', + '?:\\Windows\\System32\\Speech\\Engines\\TTS\\MSTTSLocEnUS.dll', + '?:\\Windows\\System32\\DXGIDebug.dll' + ) and ps.exe not imatches - ( - '?:\\Windows\\System32\\RuntimeBroker.exe', - '?:\\Windows\\System32\\svchost.exe', - '?:\\Windows\\System32\\services.exe', - '?:\\Windows\\System32\\smss.exe', - '?:\\Windows\\System32\\csrss.exe', - '?:\\Windows\\System32\\wininit.exe', - '?:\\Windows\\System32\\winlogon.exe' - ) + ( + '?:\\Windows\\System32\\RuntimeBroker.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\services.exe', + '?:\\Windows\\System32\\smss.exe', + '?:\\Windows\\System32\\csrss.exe', + '?:\\Windows\\System32\\wininit.exe', + '?:\\Windows\\System32\\winlogon.exe' + ) | by file.path |load_dll| by image.path diff --git a/rules/privilege_escalation_vulnerable_or_malicious_driver_dropped.yml b/rules/privilege_escalation_vulnerable_or_malicious_driver_dropped.yml index e76c23c9e..27dbac6e0 100644 --- a/rules/privilege_escalation_vulnerable_or_malicious_driver_dropped.yml +++ b/rules/privilege_escalation_vulnerable_or_malicious_driver_dropped.yml @@ -1,6 +1,6 @@ name: Vulnerable or malicious driver dropped id: d4742163-cf68-4ebd-b9a2-3ad17bbf63d5 -version: 1.0.2 +version: 1.0.3 description: | Detects when adversaries drop a vulnerable/malicious driver onto a compromised system as a preparation for vulnerability @@ -16,9 +16,7 @@ references: - https://www.loldrivers.io/ condition: > - create_file and file.is_driver - and - (file.is_driver_vulnerable or file.is_driver_malicious) + create_file and file.is_driver and (file.is_driver_vulnerable or file.is_driver_malicious) output: > Vulnerable or malicious %file.path driver dropped diff --git a/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml b/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml index e2e660f0b..a951b5205 100644 --- a/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml +++ b/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml @@ -1,6 +1,6 @@ name: Vulnerable or malicious driver loaded id: e8005f1d-b4ec-45ee-a3ea-4247eac123db -version: 1.0.2 +version: 1.0.3 description: | Detects when adversaries load a vulnerable/malicious driver into the compromised system to exploit the vulnerability and @@ -16,9 +16,7 @@ references: - https://www.loldrivers.io/ condition: > - (load_driver) - and - (image.is_driver_vulnerable or image.is_driver_malicious) + (load_driver) and (image.is_driver_vulnerable or image.is_driver_malicious) output: > Vulnerable or malicious %image.path driver loaded