diff --git a/rules/credential_access_lsass_access_from_unsigned_executable.yml b/rules/credential_access_lsass_access_from_unsigned_executable.yml index 515f0f39a..2d4d00f10 100644 --- a/rules/credential_access_lsass_access_from_unsigned_executable.yml +++ b/rules/credential_access_lsass_access_from_unsigned_executable.yml @@ -1,6 +1,6 @@ name: LSASS access from unsigned executable id: 348bf896-2201-444f-b1c9-e957a1f063bf -version: 1.0.4 +version: 1.0.5 description: | Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). Adversaries may try to dump credential information stored in the process memory of LSASS. @@ -21,9 +21,7 @@ condition: > sequence maxspan 7m by ps.uuid - |load_unsigned_executable and - ps.exe not imatches '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe' - | + |load_unsigned_executable and ps.exe not imatches '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe'| |((open_process) or (open_thread)) and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'| action: - name: kill diff --git a/rules/credential_access_lsass_handle_leak_via_seclogon.yml b/rules/credential_access_lsass_handle_leak_via_seclogon.yml index 3df949487..89bacb1e3 100644 --- a/rules/credential_access_lsass_handle_leak_via_seclogon.yml +++ b/rules/credential_access_lsass_handle_leak_via_seclogon.yml @@ -1,6 +1,6 @@ name: LSASS handle leak via Seclogon id: 5d55c938-875e-49e1-ae53-fa196d4445eb -version: 1.0.3 +version: 1.0.4 description: | Identifies suspicious access to LSASS process from a callstack pointing to seclogon.dll that may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in @@ -20,7 +20,7 @@ references: - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html condition: > - open_process and + open_process and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and ps.name ~= 'svchost.exe' and ps.access.mask.names in ('CREATE_PROCESS', 'DUP_HANDLE') and thread.callstack.modules imatches ('*seclogon.dll') diff --git a/rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml b/rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml index 3e27e8228..27fb97101 100644 --- a/rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml +++ b/rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml @@ -1,6 +1,6 @@ name: LSASS memory dump via MiniDumpWriteDump id: fd7ced77-4a95-4658-80f6-6b9d7b5e3777 -version: 1.0.2 +version: 1.0.3 description: | Identifies access to the Local Security Authority Subsystem Service (LSASS) process to dump the memory via MiniDumpWriteDump API. @@ -20,7 +20,7 @@ references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass condition: > - ((open_process) or (open_thread)) and + ((open_process) or (open_thread)) and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and (thread.callstack.modules imatches ('*dbgcore.dll', '*comsvcs.dll') or thread.callstack.symbols imatches ('*MiniDumpWriteDump')) action: diff --git a/rules/credential_access_registry_access_to_sam_database.yml b/rules/credential_access_registry_access_to_sam_database.yml index 80b76fff4..9b23fec41 100644 --- a/rules/credential_access_registry_access_to_sam_database.yml +++ b/rules/credential_access_registry_access_to_sam_database.yml @@ -1,6 +1,6 @@ name: Registry access to SAM database id: 2f326557-0291-4eb1-a87a-7a17b7d941cb -version: 2.0.1 +version: 2.0.2 description: Identifies access to the Security Account Manager registry hives. labels: @@ -26,7 +26,8 @@ condition: > '?:\\Program Files\\*.exe', '?:\\Program Files (x86)\\*.exe', '?:\\Windows\\System32\\svchost.exe' - )) and + ) + ) and not (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior') and not (ps.exe imatches '?:\\WINDOWS\\system32\\wevtutil.exe' and ps.parent.exe imatches '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe') | diff --git a/rules/credential_access_suspicious_lsa_secrets_registry_access.yml b/rules/credential_access_suspicious_lsa_secrets_registry_access.yml index 1eb9702c5..25bc4eeac 100644 --- a/rules/credential_access_suspicious_lsa_secrets_registry_access.yml +++ b/rules/credential_access_suspicious_lsa_secrets_registry_access.yml @@ -1,6 +1,6 @@ name: Suspicious LSA secrets registry access id: e5e95cbe-c8ab-418c-abe3-539d70a0b0af -version: 2.0.0 +version: 2.0.1 description: | Identifies access to LSA secrets by suspicious processes that access sensitive SECURITY registry hives associated with cached credentials and LSA secrets storage. @@ -41,10 +41,7 @@ condition: > 'HKEY_LOCAL_MACHINE\\SECURITY\\CACHE\\*', 'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\*' ) and - registry.path not imatches - ( - 'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\$MACHINE.ACC\\CupdTime\\*' - ) + registry.path not imatches 'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\$MACHINE.ACC\\CupdTime\\*' | action: - name: kill diff --git a/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml b/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml index 183c59a4e..7c7649410 100644 --- a/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml +++ b/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml @@ -1,6 +1,6 @@ name: Suspicious security package DLL loaded id: 2c74f176-9a95-4344-a1aa-15aa06e16919 -version: 1.1.3 +version: 1.1.4 description: | Attackers can abuse Windows Security Support Provider and Authentication Packages to dynamically inject a Security Package into the Local Security Authority Subsystem Service @@ -20,7 +20,6 @@ references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package condition: > - ps.name ~= 'lsass.exe' and thread.callstack.modules imatches ('?:\\Windows\\System32\\sspisrv.dll') and - (load_unsigned_or_untrusted_module) + ps.name ~= 'lsass.exe' and thread.callstack.modules imatches ('?:\\Windows\\System32\\sspisrv.dll') and (load_unsigned_or_untrusted_module) min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_potential_process_creation_via_shellcode.yml b/rules/defense_evasion_potential_process_creation_via_shellcode.yml index 5c51a3faf..aafafaeae 100644 --- a/rules/defense_evasion_potential_process_creation_via_shellcode.yml +++ b/rules/defense_evasion_potential_process_creation_via_shellcode.yml @@ -1,6 +1,6 @@ name: Potential process creation via shellcode id: 7a918532-12d1-4aa2-8c46-8769c67cac07 -version: 1.0.3 +version: 1.0.4 description: | Identifies the creation of a process with stack frames originating from floating memory area while invoking commonly used Windows API functions like WinExec. This behavior is a typical indicator of @@ -16,9 +16,7 @@ references: - https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec condition: > - spawn_process and - thread.callstack.is_unbacked = true and thread.callstack.summary imatches '*kernel32.dll|unbacked*' and - thread.callstack.symbols imatches ('kernel32.dll!WinExec*') + spawn_process and thread.callstack.is_unbacked = true and thread.callstack.summary imatches '*kernel32.dll|unbacked*' and thread.callstack.symbols imatches ('kernel32.dll!WinExec*') output: > Process %ps.exe created via potential shellcode injection by process %ps.parent.exe diff --git a/rules/defense_evasion_potential_shellcode_injection_via_windows_debugging_api.yml b/rules/defense_evasion_potential_shellcode_injection_via_windows_debugging_api.yml index 821124fe0..5cfcc5267 100644 --- a/rules/defense_evasion_potential_shellcode_injection_via_windows_debugging_api.yml +++ b/rules/defense_evasion_potential_shellcode_injection_via_windows_debugging_api.yml @@ -1,6 +1,6 @@ name: Potential shellcode injection via Windows Debugging API id: 0100c5ce-3cdf-4701-8253-6c33bb48eabf -version: 1.0.0 +version: 1.0.1 description: | Identifies shellcode injection using the Windows Debugging API and shared memory section. Attackers avoid writing and reading remote memory directly, instead employ context manipulation @@ -28,9 +28,7 @@ condition: > '?:\\Windows\\System32\\WerFault.exe' ) | by thread.pid - |map_view_of_section and - file.view.protection = 'READONLY|EXECUTE' and file.view.size >= 4096 - | by ps.pid + |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and file.view.size >= 4096| by ps.pid action: - name: kill diff --git a/rules/defense_evasion_process_creation_via_ntfs_transaction.yml b/rules/defense_evasion_process_creation_via_ntfs_transaction.yml index 866a120b3..3217d4fa2 100644 --- a/rules/defense_evasion_process_creation_via_ntfs_transaction.yml +++ b/rules/defense_evasion_process_creation_via_ntfs_transaction.yml @@ -1,6 +1,6 @@ name: Process creation via NTFS transaction id: eb34cf6e-ccc3-4bce-bbcf-013720640a28 -version: 2.0.0 +version: 2.0.1 description: | Adversaries may inject malicious code into process by abusing NTFS transactions to avoid writing the final executable image to disk. Attackers exploit TxF API @@ -22,13 +22,7 @@ references: condition: > sequence maxspan 2m - |create_file and - evt.pid != 4 and thread.callstack.symbols imatches - ( - 'kernel32.dll!CreateFileTransacted*', - 'ntdll.dll!RtlSetCurrentTransaction' - ) - | by file.name + |create_file and evt.pid != 4 and thread.callstack.symbols imatches ('kernel32.dll!CreateFileTransacted*', 'ntdll.dll!RtlSetCurrentTransaction')| by file.name |spawn_process and ps.name != base(ps.exe) and thread.callstack.symbols not imatches ('ntdll.dll!*CreateUserProcess') diff --git a/rules/defense_evasion_process_execution_from_hollowed_memory_section.yml b/rules/defense_evasion_process_execution_from_hollowed_memory_section.yml index 12e37a50f..f3fa84996 100644 --- a/rules/defense_evasion_process_execution_from_hollowed_memory_section.yml +++ b/rules/defense_evasion_process_execution_from_hollowed_memory_section.yml @@ -1,6 +1,6 @@ name: Process execution from hollowed memory section id: 2a3fbae8-5e8c-4b71-b9da-56c3958c0d53 -version: 2.1.2 +version: 2.1.3 description: | Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code @@ -36,7 +36,7 @@ condition: > | by ps.uuid, file.view.base |load_executable and module.path not imatches '?:\\Windows\\SoftwareDistribution\\Download\\*\\Package_for_RollupFix*\\*.exe' and - (ps.exe not imatches '?:\\Windows\\System32\\conhost.exe' and ps.cmdline not imatches '*0xffffffff -ForceV1' and ps.parent.exe not imatches '?:\\Windows\\System32\\WindowsPowerShell\\*\\powershell.exe') + not (ps.exe imatches '?:\\Windows\\System32\\conhost.exe' and ps.cmdline imatches '*0xffffffff -ForceV1' and ps.parent.exe imatches '?:\\Windows\\System32\\WindowsPowerShell\\*\\powershell.exe') | by ps.uuid, module.base action: - name: kill diff --git a/rules/defense_evasion_suspicious_activity_from_reflected_process.yml b/rules/defense_evasion_suspicious_activity_from_reflected_process.yml index d411008ba..926158aac 100644 --- a/rules/defense_evasion_suspicious_activity_from_reflected_process.yml +++ b/rules/defense_evasion_suspicious_activity_from_reflected_process.yml @@ -1,6 +1,6 @@ name: Suspicious activity from a reflected process id: 2c5d3663-3e76-4cba-bd72-178757112f2c -version: 1.0.0 +version: 1.0.1 description: | Detects the execution of a process clone via RtlCreateProcessReflection followed by network activity or loading of common networking DLLs. @@ -22,9 +22,7 @@ condition: > sequence maxspan 2m by ps.uuid - |spawn_process and - thread.callstack.symbols imatches ('ntdll.dll!RtlCreateProcessReflection*', 'ntdll.dll!RtlCloneUserProcess*') - | + |spawn_process and thread.callstack.symbols imatches ('ntdll.dll!RtlCreateProcessReflection*', 'ntdll.dll!RtlCloneUserProcess*')| |(connect_socket and net.dip != 0.0.0.0 and net.dip not in ('0:0:0:0:0:0:0:1', '::1') and not cidr_contains(net.dip, '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16')) or diff --git a/rules/defense_evasion_suspicious_dll_loaded_via_memory_section_mapping.yml b/rules/defense_evasion_suspicious_dll_loaded_via_memory_section_mapping.yml index 9ddbe5f76..4936c7768 100644 --- a/rules/defense_evasion_suspicious_dll_loaded_via_memory_section_mapping.yml +++ b/rules/defense_evasion_suspicious_dll_loaded_via_memory_section_mapping.yml @@ -1,6 +1,6 @@ name: Suspicious DLL loaded via memory section mapping id: b06653fb-227e-4e63-9a69-55a5a90c79e5 -version: 1.0.3 +version: 1.0.4 description: | Identifies the mapping of a memory section with RX protection followed by unsigned DLL loading. Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses @@ -23,10 +23,7 @@ condition: > by ps.uuid |map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and evt.pid != 4 and file.view.size >= 4096 and - ps.exe not imatches - ( - '?:\\Program Files\\Mozilla Firefox\\firefox.exe' - ) + ps.exe not imatches '?:\\Program Files\\Mozilla Firefox\\firefox.exe' | |(load_unsigned_or_untrusted_dll)| action: diff --git a/rules/defense_evasion_windows_defender_driver_unloading.yml b/rules/defense_evasion_windows_defender_driver_unloading.yml index 64264cc8c..d9c0f2908 100644 --- a/rules/defense_evasion_windows_defender_driver_unloading.yml +++ b/rules/defense_evasion_windows_defender_driver_unloading.yml @@ -1,6 +1,6 @@ name: Windows Defender driver unloading id: c9b93fbc-8845-4f39-a74b-26862615432c -version: 1.0.2 +version: 1.0.3 description: | Detects the unloading of Windows Defender kernel-mode drivers, such as WdFilter.sys or WdBoot.sys, which may indicate an attempt to impair or disable antivirus protections. @@ -19,8 +19,7 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1562/001 condition: > - unload_driver and - evt.pid != 4 and module.path imatches ('?:\\Windows\\System32\\drivers\\wd\\*.sys', '?:\\Windows\\System32\\drivers\\Wd*.sys') + unload_driver and evt.pid != 4 and module.path imatches ('?:\\Windows\\System32\\drivers\\wd\\*.sys', '?:\\Windows\\System32\\drivers\\Wd*.sys') output: > Windows Defender driver %module.path unloaded by process %ps.exe diff --git a/rules/persistence_hidden_local_account_creation.yml b/rules/persistence_hidden_local_account_creation.yml index ff29780a2..c6044f03e 100644 --- a/rules/persistence_hidden_local_account_creation.yml +++ b/rules/persistence_hidden_local_account_creation.yml @@ -1,6 +1,6 @@ name: Hidden local account creation id: bfa83754-3730-4c46-a0fd-cc71365f64df -version: 1.0.3 +version: 1.0.4 description: | Identifies the creation of a hidden local account. Adversaries can create hidden accounts by appending the dollar sign to the account name. This technique renders the account name hidden @@ -17,12 +17,7 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1136/001/ condition: > - modify_registry and - registry.path imatches - ( - 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$', - 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$' - ) + modify_registry and registry.path imatches ('HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$', 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$') severity: high diff --git a/rules/privilege_escalation_fake_system_root_directory_creation.yml b/rules/privilege_escalation_fake_system_root_directory_creation.yml index b8564c2eb..29f99679d 100644 --- a/rules/privilege_escalation_fake_system_root_directory_creation.yml +++ b/rules/privilege_escalation_fake_system_root_directory_creation.yml @@ -1,6 +1,6 @@ name: Fake system root directory creation id: c70c41e2-fd43-466d-9cb6-20b259380960 -version: 1.0.0 +version: 1.0.1 description: | Detects attempts to create a fake or malformed Windows system root directory by a unprivileged process, which may indicate exploitation @@ -16,12 +16,7 @@ references: - https://github.com/hfiref0x/UACME condition: > - create_file and - ps.sid != 'S-1-5-18' and file.path imatches - ( - '?:\\Windows ', - '?:\\ Windows*' - ) + create_file and ps.sid != 'S-1-5-18' and file.path imatches ('?:\\Windows ', '?:\\ Windows*') action: - name: kill