Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: LSASS access from unsigned executable
id: 348bf896-2201-444f-b1c9-e957a1f063bf
version: 1.0.4
version: 1.0.5
description: |
Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS).
Adversaries may try to dump credential information stored in the process memory of LSASS.
Expand All @@ -21,9 +21,7 @@ condition: >
sequence
maxspan 7m
by ps.uuid
|load_unsigned_executable and
ps.exe not imatches '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe'
|
|load_unsigned_executable and ps.exe not imatches '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe'|
|((open_process) or (open_thread)) and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'|
action:
- name: kill
Expand Down
4 changes: 2 additions & 2 deletions rules/credential_access_lsass_handle_leak_via_seclogon.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: LSASS handle leak via Seclogon
id: 5d55c938-875e-49e1-ae53-fa196d4445eb
version: 1.0.3
version: 1.0.4
description: |
Identifies suspicious access to LSASS process from a callstack pointing to seclogon.dll that
may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in
Expand All @@ -20,7 +20,7 @@ references:
- https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html

condition: >
open_process and
open_process and
evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and ps.name ~= 'svchost.exe' and
ps.access.mask.names in ('CREATE_PROCESS', 'DUP_HANDLE') and thread.callstack.modules imatches ('*seclogon.dll')

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: LSASS memory dump via MiniDumpWriteDump
id: fd7ced77-4a95-4658-80f6-6b9d7b5e3777
version: 1.0.2
version: 1.0.3
description: |
Identifies access to the Local Security Authority Subsystem Service (LSASS) process to dump the
memory via MiniDumpWriteDump API.
Expand All @@ -20,7 +20,7 @@ references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass

condition: >
((open_process) or (open_thread)) and
((open_process) or (open_thread)) and
evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and
(thread.callstack.modules imatches ('*dbgcore.dll', '*comsvcs.dll') or thread.callstack.symbols imatches ('*MiniDumpWriteDump'))
action:
Expand Down
5 changes: 3 additions & 2 deletions rules/credential_access_registry_access_to_sam_database.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Registry access to SAM database
id: 2f326557-0291-4eb1-a87a-7a17b7d941cb
version: 2.0.1
version: 2.0.2
description:
Identifies access to the Security Account Manager registry hives.
labels:
Expand All @@ -26,7 +26,8 @@ condition: >
'?:\\Program Files\\*.exe',
'?:\\Program Files (x86)\\*.exe',
'?:\\Windows\\System32\\svchost.exe'
)) and
)
) and
not (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior') and
not (ps.exe imatches '?:\\WINDOWS\\system32\\wevtutil.exe' and ps.parent.exe imatches '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe')
|
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Suspicious LSA secrets registry access
id: e5e95cbe-c8ab-418c-abe3-539d70a0b0af
version: 2.0.0
version: 2.0.1
description: |
Identifies access to LSA secrets by suspicious processes that access sensitive
SECURITY registry hives associated with cached credentials and LSA secrets storage.
Expand Down Expand Up @@ -41,10 +41,7 @@ condition: >
'HKEY_LOCAL_MACHINE\\SECURITY\\CACHE\\*',
'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\*'
) and
registry.path not imatches
(
'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\$MACHINE.ACC\\CupdTime\\*'
)
registry.path not imatches 'HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\$MACHINE.ACC\\CupdTime\\*'
|
action:
- name: kill
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Suspicious security package DLL loaded
id: 2c74f176-9a95-4344-a1aa-15aa06e16919
version: 1.1.3
version: 1.1.4
description: |
Attackers can abuse Windows Security Support Provider and Authentication Packages to
dynamically inject a Security Package into the Local Security Authority Subsystem Service
Expand All @@ -20,7 +20,6 @@ references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package

condition: >
ps.name ~= 'lsass.exe' and thread.callstack.modules imatches ('?:\\Windows\\System32\\sspisrv.dll') and
(load_unsigned_or_untrusted_module)
ps.name ~= 'lsass.exe' and thread.callstack.modules imatches ('?:\\Windows\\System32\\sspisrv.dll') and (load_unsigned_or_untrusted_module)

min-engine-version: 3.0.0
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Potential process creation via shellcode
id: 7a918532-12d1-4aa2-8c46-8769c67cac07
version: 1.0.3
version: 1.0.4
description: |
Identifies the creation of a process with stack frames originating from floating memory area while
invoking commonly used Windows API functions like WinExec. This behavior is a typical indicator of
Expand All @@ -16,9 +16,7 @@ references:
- https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec

condition: >
spawn_process and
thread.callstack.is_unbacked = true and thread.callstack.summary imatches '*kernel32.dll|unbacked*' and
thread.callstack.symbols imatches ('kernel32.dll!WinExec*')
spawn_process and thread.callstack.is_unbacked = true and thread.callstack.summary imatches '*kernel32.dll|unbacked*' and thread.callstack.symbols imatches ('kernel32.dll!WinExec*')

output: >
Process %ps.exe created via potential shellcode injection by process %ps.parent.exe
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Potential shellcode injection via Windows Debugging API
id: 0100c5ce-3cdf-4701-8253-6c33bb48eabf
version: 1.0.0
version: 1.0.1
description: |
Identifies shellcode injection using the Windows Debugging API and shared memory section.
Attackers avoid writing and reading remote memory directly, instead employ context manipulation
Expand Down Expand Up @@ -28,9 +28,7 @@ condition: >
'?:\\Windows\\System32\\WerFault.exe'
)
| by thread.pid
|map_view_of_section and
file.view.protection = 'READONLY|EXECUTE' and file.view.size >= 4096
| by ps.pid
|map_view_of_section and file.view.protection = 'READONLY|EXECUTE' and file.view.size >= 4096| by ps.pid
action:
- name: kill

Expand Down
10 changes: 2 additions & 8 deletions rules/defense_evasion_process_creation_via_ntfs_transaction.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Process creation via NTFS transaction
id: eb34cf6e-ccc3-4bce-bbcf-013720640a28
version: 2.0.0
version: 2.0.1
description: |
Adversaries may inject malicious code into process by abusing NTFS transactions
to avoid writing the final executable image to disk. Attackers exploit TxF API
Expand All @@ -22,13 +22,7 @@ references:
condition: >
sequence
maxspan 2m
|create_file and
evt.pid != 4 and thread.callstack.symbols imatches
(
'kernel32.dll!CreateFileTransacted*',
'ntdll.dll!RtlSetCurrentTransaction'
)
| by file.name
|create_file and evt.pid != 4 and thread.callstack.symbols imatches ('kernel32.dll!CreateFileTransacted*', 'ntdll.dll!RtlSetCurrentTransaction')| by file.name
|spawn_process and
ps.name != base(ps.exe) and
thread.callstack.symbols not imatches ('ntdll.dll!*CreateUserProcess')
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Process execution from hollowed memory section
id: 2a3fbae8-5e8c-4b71-b9da-56c3958c0d53
version: 2.1.2
version: 2.1.3
description: |
Adversaries may inject malicious code into suspended and hollowed processes in order to
evade process-based defenses. Process hollowing is a method of executing arbitrary code
Expand Down Expand Up @@ -36,7 +36,7 @@ condition: >
| by ps.uuid, file.view.base
|load_executable and
module.path not imatches '?:\\Windows\\SoftwareDistribution\\Download\\*\\Package_for_RollupFix*\\*.exe' and
(ps.exe not imatches '?:\\Windows\\System32\\conhost.exe' and ps.cmdline not imatches '*0xffffffff -ForceV1' and ps.parent.exe not imatches '?:\\Windows\\System32\\WindowsPowerShell\\*\\powershell.exe')
not (ps.exe imatches '?:\\Windows\\System32\\conhost.exe' and ps.cmdline imatches '*0xffffffff -ForceV1' and ps.parent.exe imatches '?:\\Windows\\System32\\WindowsPowerShell\\*\\powershell.exe')
| by ps.uuid, module.base
action:
- name: kill
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Suspicious activity from a reflected process
id: 2c5d3663-3e76-4cba-bd72-178757112f2c
version: 1.0.0
version: 1.0.1
description: |
Detects the execution of a process clone via RtlCreateProcessReflection
followed by network activity or loading of common networking DLLs.
Expand All @@ -22,9 +22,7 @@ condition: >
sequence
maxspan 2m
by ps.uuid
|spawn_process and
thread.callstack.symbols imatches ('ntdll.dll!RtlCreateProcessReflection*', 'ntdll.dll!RtlCloneUserProcess*')
|
|spawn_process and thread.callstack.symbols imatches ('ntdll.dll!RtlCreateProcessReflection*', 'ntdll.dll!RtlCloneUserProcess*')|
|(connect_socket and
net.dip != 0.0.0.0 and net.dip not in ('0:0:0:0:0:0:0:1', '::1') and
not cidr_contains(net.dip, '127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16')) or
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Suspicious DLL loaded via memory section mapping
id: b06653fb-227e-4e63-9a69-55a5a90c79e5
version: 1.0.3
version: 1.0.4
description: |
Identifies the mapping of a memory section with RX protection followed by unsigned DLL loading.
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses
Expand All @@ -23,10 +23,7 @@ condition: >
by ps.uuid
|map_view_of_section and
file.view.protection = 'READONLY|EXECUTE' and evt.pid != 4 and file.view.size >= 4096 and
ps.exe not imatches
(
'?:\\Program Files\\Mozilla Firefox\\firefox.exe'
)
ps.exe not imatches '?:\\Program Files\\Mozilla Firefox\\firefox.exe'
|
|(load_unsigned_or_untrusted_dll)|
action:
Expand Down
5 changes: 2 additions & 3 deletions rules/defense_evasion_windows_defender_driver_unloading.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Windows Defender driver unloading
id: c9b93fbc-8845-4f39-a74b-26862615432c
version: 1.0.2
version: 1.0.3
description: |
Detects the unloading of Windows Defender kernel-mode drivers, such as WdFilter.sys or WdBoot.sys,
which may indicate an attempt to impair or disable antivirus protections.
Expand All @@ -19,8 +19,7 @@ labels:
subtechnique.ref: https://attack.mitre.org/techniques/T1562/001

condition: >
unload_driver and
evt.pid != 4 and module.path imatches ('?:\\Windows\\System32\\drivers\\wd\\*.sys', '?:\\Windows\\System32\\drivers\\Wd*.sys')
unload_driver and evt.pid != 4 and module.path imatches ('?:\\Windows\\System32\\drivers\\wd\\*.sys', '?:\\Windows\\System32\\drivers\\Wd*.sys')

output: >
Windows Defender driver %module.path unloaded by process %ps.exe
Expand Down
9 changes: 2 additions & 7 deletions rules/persistence_hidden_local_account_creation.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Hidden local account creation
id: bfa83754-3730-4c46-a0fd-cc71365f64df
version: 1.0.3
version: 1.0.4
description: |
Identifies the creation of a hidden local account. Adversaries can create hidden accounts by
appending the dollar sign to the account name. This technique renders the account name hidden
Expand All @@ -17,12 +17,7 @@ labels:
subtechnique.ref: https://attack.mitre.org/techniques/T1136/001/

condition: >
modify_registry and
registry.path imatches
(
'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$',
'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$'
)
modify_registry and registry.path imatches ('HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$', 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$')

severity: high

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Fake system root directory creation
id: c70c41e2-fd43-466d-9cb6-20b259380960
version: 1.0.0
version: 1.0.1
description: |
Detects attempts to create a fake or malformed Windows system root
directory by a unprivileged process, which may indicate exploitation
Expand All @@ -16,12 +16,7 @@ references:
- https://github.com/hfiref0x/UACME

condition: >
create_file and
ps.sid != 'S-1-5-18' and file.path imatches
(
'?:\\Windows ',
'?:\\ Windows*'
)
create_file and ps.sid != 'S-1-5-18' and file.path imatches ('?:\\Windows ', '?:\\ Windows*')
action:
- name: kill

Expand Down
Loading