├── README.md ├── LOL_BINs ├── Wermgr_injection.yml ├── MSTeams_side-loading.yml └── Dumpbin_LoLBin.yml ├── MISC ├── schtasks_win-def-removal.yml ├── AMSI_Bypass.yml ├── DisableRestrictedAdmin.yml ├── Powershell_downloader_cradle.yml ├── schtask_enc-psh.yml ├── registry_hide_user.yml ├── hh_LOLBA.yml ├── win-lazagne.yml └── reg_enabling_rdp.yml ├── windows_exploitation ├── KrbRelayUp.yml ├── zero_exe.yml ├── sdiagnhost-ms-msdt_exploitation.yml ├── WSUS_abuse.yml ├── ms-msdt_exploitation.yml ├── Kerberoasting_Activity.yml └── DC_Impersonation.yml ├── vulnerability_exploitation ├── VMware_Horizon_LOG4J.yml ├── 7z_CVE-2022-29072.yml └── VMWare_CVE-2022-22954.yml └── malware ├── Emotet_04_22.yml ├── Raspberry_Robin_usb-exec.yml ├── Raspberry_Robin_mal-exec.yml ├── Serpent_payload_exec.yml ├── ChromeLoader.yml └── SocGholish_FakeUpdates.yml /README.md: -------------------------------------------------------------------------------- 1 | # Sigma_rules 2 | Random sigma rules to share with the community 3 | 4 | **All rules are made by me. Research is referenced in the rules** 5 | -------------------------------------------------------------------------------- /LOL_BINs/Wermgr_injection.yml: -------------------------------------------------------------------------------- 1 | title: Wrmgr.exe spawning without command line arguments 2 | description: Wrmgr.exe should not spawn without any command line arguments. Sometimes malware are using process injection to masquerade their malicious activities and evade detection. 3 | status: experimental 4 | date: 2022/09/14 5 | author: \@kostastsale 6 | logsource: 7 | category: process_creation 8 | product: windows 9 | detection: 10 | selection1: 11 | Image|endswith: 12 | - '\wermgr.exe' 13 | CommandLine|endswith: 14 | - '\wermgr.exe' 15 | condition: selection1 16 | falsepositives: 17 | - Unlikely 18 | level: high 19 | tags: 20 | - attack.Defense Evasion 21 | - attack.T1218 22 | -------------------------------------------------------------------------------- /MISC/schtasks_win-def-removal.yml: -------------------------------------------------------------------------------- 1 | title: Deleting Windows Defender scheduled tasks 2 | status: Experimental 3 | description: Detects the deletion of scheduled tasks related to Windows Defender. 4 | author: \@Kostastsale, \@TheDFIRReport 5 | references: 6 | - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ 7 | date: 2022/05/09 8 | logsource: 9 | product: windows 10 | category: process_creation 11 | detection: 12 | selection1: 13 | Image|endswith: '\schtasks.exe' 14 | CommandLine|contains|all: 15 | - '/delete' 16 | - '/tn' 17 | - 'Windows Defender' 18 | condition: selection1 19 | falsepositives: 20 | - Uknown 21 | level: high 22 | tags: 23 | - attack.defense_evasion 24 | - attack.t1562.001 -------------------------------------------------------------------------------- /MISC/AMSI_Bypass.yml: -------------------------------------------------------------------------------- 1 | title: Detects attempts to disable AMSI in the commandline 2 | status: Experimental 3 | description: It is possible to bypass AMSI by disabling it before loading the main payload 4 | author: '@Kostastsale' 5 | references: 6 | - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ 7 | date: 2022/11/04 8 | logsource: 9 | product: windows 10 | category: process_creation 11 | detection: 12 | selection1: 13 | Image|endswith: 14 | - '\powershell.exe' 15 | - '\pwsh.exe' 16 | - '\powershell_ise.exe' 17 | CommandLine|contains|all: 18 | - '[Ref].Assembly.GetType' 19 | - 'SetValue($null,$true)' 20 | - 'NonPublic,Static' 21 | condition: selection1 22 | falsepositives: 23 | - Uknown 24 | level: high 25 | tags: 26 | - attack.defense_evasion 27 | - attack.t1562.001 28 | - attack.execution 29 | - T1059.001 -------------------------------------------------------------------------------- /MISC/DisableRestrictedAdmin.yml: -------------------------------------------------------------------------------- 1 | title: Enabling restricted admin mode 2 | status: Experimental 3 | description: Detects the registry modification to enable restricted admin mode using reg.exe 4 | author: \@Kostastsale, \@TheDFIRReport 5 | references: 6 | - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ 7 | date: 2022/05/09 8 | logsource: 9 | product: windows 10 | category: process_creation 11 | detection: 12 | selection1: 13 | Image|endswith: 14 | - '\powershell.exe' 15 | - '\reg.exe' 16 | CommandLine|contains|all: 17 | - '/add' 18 | - 'DisableRestrictedAdmin' 19 | - 'hklm\system\currentcontrolset\control\lsa' 20 | selection2: 21 | CommandLine|contains: 22 | - '-Value 0' 23 | - '/d 0' 24 | condition: selection1 and selection2 25 | falsepositives: 26 | - Uknown 27 | level: high 28 | tags: 29 | - attack.defense_evasion 30 | - attack.t1562.001 -------------------------------------------------------------------------------- /MISC/Powershell_downloader_cradle.yml: -------------------------------------------------------------------------------- 1 | title: Using powershell specific download cradle OneLiner 2 | status: Experimental 3 | description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory. 4 | author: \@Kostastsale, \@TheDFIRReport 5 | references: 6 | - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ 7 | - https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 8 | date: 2022/05/09 9 | logsource: 10 | product: windows 11 | category: process_creation 12 | detection: 13 | selection1: 14 | Image|endswith: 15 | - '\powershell.exe' 16 | CommandLine|contains|all: 17 | - 'http://127.0.0.1' 18 | - '%{(IRM $_)}' 19 | - '.SubString.ToString()[67,72,64]-Join' 20 | - 'Import-Module' 21 | condition: selection1 22 | falsepositives: 23 | - Uknown 24 | level: high 25 | tags: 26 | - attack.defense_evasion 27 | - attack.t1562.001 28 | - attack.execution 29 | - T1059.001 -------------------------------------------------------------------------------- /MISC/schtask_enc-psh.yml: -------------------------------------------------------------------------------- 1 | title: Scheduled task executing powershell encoded payload from registry 2 | status: Experimental 3 | description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell. 4 | author: '@Kostastsale, @TheDFIRReport' 5 | references: 6 | - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ 7 | date: 2022/02/12 8 | logsource: 9 | product: windows 10 | category: process_creation 11 | detection: 12 | selection1: 13 | Image|endswith: '\schtasks.exe' 14 | CommandLine|contains|all: 15 | - '/Create' 16 | - '/SC' 17 | selection2: 18 | CommandLine|contains|all: 19 | - 'FromBase64String' 20 | - 'powershell' 21 | - 'Get-ItemProperty' 22 | - 'HKCU:' 23 | condition: selection1 and selection2 24 | falsepositives: 25 | - Uknown 26 | level: high 27 | tags: 28 | - attack.execution 29 | - attack.persistence 30 | - attack.t1053.005 31 | - attack.t1059.001 32 | -------------------------------------------------------------------------------- /MISC/registry_hide_user.yml: -------------------------------------------------------------------------------- 1 | title: Hiding local user accounts 2 | description: Detects the use reg.exe to hide users from listed in the logon screen. This is possible by changing the registry key value to 0 for a specific user. 3 | status: experimental 4 | references: 5 | - 6 | author: '@Kostastsale, @TheDFIRReport' 7 | date: 2022/05/14 8 | logsource: 9 | category: process_creation 10 | product: windows 11 | detection: 12 | selection1: 13 | ParentImage|endswith: 14 | - '\cmd.exe' 15 | - '\powershell.exe' 16 | Image|endswith: 17 | - '\reg.exe' 18 | CommandLine|contains|all: 19 | - 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist' 20 | - 'add' 21 | - '/t' 22 | - 'REG_DWORD' 23 | - '/v' 24 | - '/d 0' 25 | condition: selection1 26 | falsepositives: 27 | - System administrator activities 28 | level: medium 29 | tags: 30 | - attack.hidden.users 31 | - attack.T1564.002 -------------------------------------------------------------------------------- /windows_exploitation/KrbRelayUp.yml: -------------------------------------------------------------------------------- 1 | title: KrbRelayUp local privilege escalation. 2 | description: Detecting possible successful exploitation using tools such as KrbRelayUp AD environment 3 | status: experimental 4 | date: 2022/04/26 5 | author: \@kostastsale 6 | references: 7 | - https://github.com/Dec0ne/KrbRelayUp 8 | - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html 9 | - https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml 10 | logsource: 11 | product: windows 12 | service: security 13 | detection: 14 | selection1: 15 | EventID: 4624 16 | LogonType: '3' 17 | AuthenticationPackageName: 'Kerberos' 18 | IpAddress: '127.0.0.1' 19 | TargetUserSid: 'S-1-5-21-*-500' 20 | filter: 21 | IpPort: '0' 22 | condition: selection1 and not filter 23 | falsepositives: 24 | - Uknown 25 | level: High 26 | tags: 27 | - attack.privilege_escalation 28 | - attack.t1068 29 | -------------------------------------------------------------------------------- /vulnerability_exploitation/VMware_Horizon_LOG4J.yml: -------------------------------------------------------------------------------- 1 | title: Exploitation of Vulnerable VMware Horizon to LOG4J 2 | description: Detecting initial exploitation attempt against VMware Horizon deployments running vulnerable versions of Log4j. 3 | status: experimental 4 | date: 2022/01/14 5 | author: \@kostastsale 6 | references: 7 | - https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability 8 | - https://twitter.com/TheDFIRReport/status/1482078434327244805 9 | - https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | detection: 14 | selection1: 15 | ParentImage|endswith: 16 | - '\ws_TomcatService.exe' 17 | filter: 18 | Image|endswith: 19 | - '\cmd.exe' 20 | - '\powershell.exe' 21 | condition: selection1 and filter 22 | falsepositives: 23 | - Unlikely 24 | level: high 25 | tags: 26 | - attack.initial_access 27 | - attack.t1190 -------------------------------------------------------------------------------- /malware/Emotet_04_22.yml: -------------------------------------------------------------------------------- 1 | title: Emotet loader execution via .lnk file 2 | description: Detects the latest emotet loader as reported by @malware_traffic. The .lnk file was delivered via phishing campaign. 3 | status: experimental 4 | date: 2022/04/22 5 | author: \@kostastsale 6 | references: 7 | - https://twitter.com/malware_traffic/status/1517622327000846338 8 | - https://twitter.com/Cryptolaemus1/status/1517634855940632576 9 | - https://tria.ge/220422-1pw1pscfdl/ 10 | - https://tria.ge/220422-1nnmyagdf2/ 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection1: 16 | ParentImage: 17 | - '*\cmd.exe' 18 | - '*\powershell.exe' 19 | - '*\explorer.exe' 20 | Image: 21 | - '*\cmd.exe' 22 | - '*\powershell.exe' 23 | CommandLine|contains|all: 24 | - 'findstr' 25 | - '.vbs' 26 | - '.lnk' 27 | condition: selection1 28 | falsepositives: 29 | - Unlikely 30 | level: high 31 | tags: 32 | - attack.execution 33 | - attack.T1059.006 -------------------------------------------------------------------------------- /LOL_BINs/MSTeams_side-loading.yml: -------------------------------------------------------------------------------- 1 | title: MSTeams exe side-loading - Update.exe 2 | description: Detects execution of side-loaded executable via the update.exe, part microsoft teams' application binary. 3 | status: experimental 4 | date: 2022/01/12 5 | author: \@kostastsale 6 | references: 7 | - https://twitter.com/misconfig/status/1481198346379436035 8 | - https://twitter.com/Kostastsale/status/1481438427878858755 9 | - https://github.com/Squirrel/Squirrel.Windows/blob/0d1250aa6f0c25fe22e92add78af327d1277d97d/src/Update/Program.cs#L123 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | detection: 14 | selection1: 15 | ParentCommandLine|contains|all: 16 | - 'AppData\Local\Microsoft\Teams\Update.exe' 17 | - '--processStart *.exe' 18 | ParentImage|endswith: 19 | - 'update.exe' 20 | filter: 21 | Image|endswith: 22 | - 'Teams.exe' 23 | condition: selection1 and not filter 24 | falsepositives: 25 | - Unlikely 26 | level: high 27 | tags: 28 | - attack.Defense Evasion 29 | - attack.T1218 -------------------------------------------------------------------------------- /windows_exploitation/zero_exe.yml: -------------------------------------------------------------------------------- 1 | title: Execution of ZeroLogon PoC executable 2 | status: Experimental 3 | description: Detects the execution of the commonly used ZeroLogon PoC executable. 4 | author: @Kostastsale, @TheDFIRReport 5 | references: 6 | - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ 7 | - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ 8 | date: 2022/02/12 9 | logsource: 10 | product: windows 11 | category: process_creation 12 | detection: 13 | selection1: 14 | ParentImage|endswith: 15 | - '\cmd.exe' 16 | Image|endswith: 17 | - '\cool.exe' 18 | - '\zero.exe' 19 | CommandLine|contains|all: 20 | - 'Administrator' 21 | - '-c' 22 | selection2: 23 | CommandLine|contains|all: 24 | - 'taskkill' 25 | - '/f' 26 | - '/im' 27 | selection3: 28 | CommandLine|contains: 29 | - 'powershell' 30 | condition: selection1 and (selection2 or selection3) 31 | falsepositives: 32 | - Uknown 33 | level: high 34 | tags: 35 | - attack.execution 36 | - attack.lateral_movement 37 | - attack.T1210 -------------------------------------------------------------------------------- /malware/Raspberry_Robin_usb-exec.yml: -------------------------------------------------------------------------------- 1 | title: Raspberry Robin initial execution from external drive 2 | description: Detects execution from the external drive using cmd 3 | status: experimental 4 | date: 2022/05/6 5 | author: \@kostastsale 6 | references: 7 | - https://redcanary.com/blog/raspberry-robin/ 8 | logsource: 9 | category: process_creation 10 | product: windows 11 | detection: 12 | selection1: 13 | ParentImage|endswith: 14 | - '*\cmd.exe' 15 | ParentCommandLine|contains: 16 | - '/r' 17 | Image|endswith: 18 | - '*\msiexec.exe' 19 | CommandLine|contains: 20 | - '/q' 21 | - '-q' 22 | selection2: 23 | CommandLine|contains: 24 | - 'http:' 25 | - 'https:' 26 | ParentCommandLine|endswith: 27 | - '.usb' 28 | - '.ico' 29 | - '.lnk' 30 | - '.bin' 31 | - '.sv' 32 | - '.lo' 33 | condition: selection1 and selection2 34 | falsepositives: 35 | - Unlikely 36 | level: high 37 | tags: 38 | - attack.execution 39 | - attack.T1059.001 40 | -------------------------------------------------------------------------------- /LOL_BINs/Dumpbin_LoLBin.yml: -------------------------------------------------------------------------------- 1 | title: Dumpbin LOLBin use for proxying execution via link.exe 2 | description: Using dumpbin.exe, a windows binary that is installed along side visual studio versions. When dumbin.exe is executed, 3 | it is calling link.exe without checking the legitimacy of the link.exe named binary in the same directory. 4 | status: experimental 5 | date: 2022/08/25 6 | author: \@kostastsale 7 | references: 8 | - https://twitter.com/0gtweet/status/1560732860935729152 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection1: 14 | Image|endswith: 15 | - '\link.exe' 16 | ParentImage|endswith: 17 | - '\dumpbin.exe' 18 | filter: 19 | Image|endswith: 20 | - '\bin\hostx64\x64\link.exe' 21 | - '\bin\hostx86\x86\link.exe' 22 | ParentImage|endswith: 23 | - '\bin\hostx64\x64\dumpbin.exe' 24 | - '\bin\hostx86\x86\dumpbin.exe' 25 | condition: selection1 and not filter 26 | falsepositives: 27 | - Unlikely 28 | level: high 29 | tags: 30 | - attack.Defense Evasion 31 | - attack.T1218 32 | -------------------------------------------------------------------------------- /vulnerability_exploitation/7z_CVE-2022-29072.yml: -------------------------------------------------------------------------------- 1 | title: Exploitation of 7zip vulnerability - CVE-2022-29072 2 | description: Detects possible exploitation vulnerability CVE-2022-29072. This vulnerability is due to 7z.dll misconfiguration. When a .7z file is placed in the Help > Contents area of the current Windows version 21.07, anyone with access to the host can elevate privileges. The command creates a child process of 7zFM.exe. 3 | status: experimental 4 | date: 2022/04/18 5 | author: \@kostastsale 6 | references: 7 | - https://github.com/kagancapar/CVE-2022-29072 8 | logsource: 9 | category: process_creation 10 | product: windows 11 | detection: 12 | selection1: 13 | Image|endswith: 14 | - 'cmd.exe' 15 | - 'powershell.exe' 16 | ParentImage|endswith: 17 | - '7zFM.exe' 18 | filter: 19 | CommandLine|endswith: 20 | - '.bat' 21 | - '.cmd' 22 | - '.ps1' 23 | condition: selection1 and not filter 24 | falsepositives: 25 | - Some false positives could exist but unlikely 26 | level: high 27 | tags: 28 | - attack.Exploitation for Privilege Escalation 29 | - attack.T1068 -------------------------------------------------------------------------------- /windows_exploitation/sdiagnhost-ms-msdt_exploitation.yml: -------------------------------------------------------------------------------- 1 | title: ms-msdt for RCE - sdiagnhost.exe spawning command 2 | description: Detecting sdiagnhost.exe executing the POC as a result of vulnerability based on ms-msdt. 3 | status: experimental 4 | references: 5 | - https://twitter.com/nao_sec/status/1530196847679401984 6 | - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e 7 | author: '@Kostastsale' 8 | date: 2022/05/29 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection1: 14 | ParentImage|endswith: 15 | - '\sdiagnhost.exe' 16 | Image|endswith: 17 | - '\cmd.exe' 18 | - '\powershell.exe' 19 | filter1: 20 | Image|endswith: 21 | - '\cmd.exe' 22 | CommandLine|contains: 23 | - 'bits' 24 | filter2: 25 | Image|endswith: 26 | - '\powershell.exe' 27 | CommandLine|endswith: 28 | - '-noprofile' 29 | - '-noprofile -' 30 | condition: selection1 and not (filter1 or filter2) 31 | falsepositives: 32 | - Uknown 33 | level: high 34 | tags: 35 | - attack.execution 36 | - attack.T1059.003 37 | - attack.T1204.002 -------------------------------------------------------------------------------- /malware/Raspberry_Robin_mal-exec.yml: -------------------------------------------------------------------------------- 1 | title: Raspberry Robin subsequent execution of commands 2 | description: Detects raspberry robin subsequent execution of commands from 3 | status: experimental 4 | date: 2022/05/06 5 | author: \@kostastsale 6 | references: 7 | - https://redcanary.com/blog/raspberry-robin/ 8 | logsource: 9 | category: process_creation 10 | product: windows 11 | detection: 12 | selection1: 13 | ParentImage|endswith: 14 | - '*\fodhelper.exe' 15 | Image|endswith: 16 | - '*\rundll32.exe' 17 | - '*\regsvr32.exe' 18 | CommandLine|contains|all: 19 | - 'shellexec_rundll' 20 | - 'regsvr' 21 | - 'odbcconf.exe' 22 | selection2: 23 | CommandLine|endswith: 24 | - '-a' 25 | - '/a' 26 | - '-f' 27 | - '/f' 28 | - '-s' 29 | - '/s' 30 | selection3: 31 | CommandLine|contains: 32 | - 'vkipdse' 33 | - 'setfiledsndir' 34 | - 'installdriver' 35 | condition: selection1 and selection2 and selection3 36 | falsepositives: 37 | - Unlikely 38 | level: high 39 | tags: 40 | - attack.execution 41 | - attack.T1059.001 42 | -------------------------------------------------------------------------------- /malware/Serpent_payload_exec.yml: -------------------------------------------------------------------------------- 1 | title: Serpent backdoor payload execution via scheduled task 2 | description: 3 | - Detects the new post-exploitation execution technique of the Serpent backdoor. According to Proofpoint, 4 | one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious 5 | windows event and a trigger in which once the event is created, it executes the payload. 6 | status: experimental 7 | date: 2022/03/21 8 | author: \@kostastsale 9 | references: 10 | - https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection1: 16 | Image: 17 | - '*\cmd.exe' 18 | - '*\powershell.exe' 19 | 20 | CommandLine|contains|all: 21 | - '/create' 22 | - '/ec' 23 | - '[System/EventID=' 24 | - '/tn run' 25 | - '/so' 26 | - '/delete' 27 | condition: selection1 28 | falsepositives: 29 | - Unlikely 30 | level: high 31 | tags: 32 | - attack.execution 33 | - attack.T1059.006 34 | - attack.persistence 35 | - attack.T1053.005 36 | -------------------------------------------------------------------------------- /windows_exploitation/WSUS_abuse.yml: -------------------------------------------------------------------------------- 1 | title: Abuse of the Windows Server Update Services (WSUS) for lateral movement. 2 | status: Experimental 3 | description: Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. Some tools, such as SharpWSUS and WSUSpendu, support lateral movement through WSUS.This rule covers those two main tools used for that purpose. 4 | author: \@Kostastsale 5 | references: 6 | - https://labs.nettitude.com/blog/introducing-sharpwsus/ 7 | - https://github.com/nettitude/SharpWSUS 8 | - https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 9 | date: 2022/10/07 10 | logsource: 11 | product: windows 12 | category: process_creation 13 | detection: 14 | selection1: 15 | CommandLine|contains: 16 | - ' /payload:' 17 | - ' -PayloadArgs ' 18 | - ' /updateid:' 19 | - ' -PayloadFile ' 20 | selection2: 21 | CommandLine|contains: 22 | - ' create ' 23 | - ' check ' 24 | - ' delete ' 25 | - '-Inject' 26 | condition: selection1 and selection2 27 | falsepositives: 28 | - Uknown 29 | level: high 30 | tags: 31 | - attack.execution 32 | - attack.lateral_movement 33 | - attack.T1210 -------------------------------------------------------------------------------- /malware/ChromeLoader.yml: -------------------------------------------------------------------------------- 1 | title: ChromeLoader Malware Detection 2 | description: Detects execution of ChromeLoader malware via a registered scheduled task 3 | status: experimental 4 | date: 2022/01/10 5 | author: \@kostastsale 6 | references: 7 | - https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER 8 | - https://twitter.com/th3_protoCOL/status/1480621526764322817 9 | - https://twitter.com/Kostastsale/status/1480716528421011458 10 | - https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection1: 16 | ParentCommandLine|contains: 17 | - '-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB' 18 | ParentImage|endswith: 19 | - '*\powershell.exe' 20 | selection2: 21 | CommandLine|contains: 22 | - '--load-extension="*\Appdata\local\chrome"' 23 | Image|endswith: 24 | - '*\chrome.exe' 25 | condition: selection1 and selection2 26 | falsepositives: 27 | - Unlikely 28 | level: high 29 | tags: 30 | - attack.execution 31 | - attack.T1059.001 32 | - attack.persistence 33 | - attack.T1176 34 | - attack.T1053.005 35 | -------------------------------------------------------------------------------- /MISC/hh_LOLBA.yml: -------------------------------------------------------------------------------- 1 | title: HH.exe LOLBA executing .chm files 2 | description: Detecting the execution of hh.exe and the follow up activity for downloading or executing 3 | second stage payloads. This is based malspam activity delivering Remote Access Trojans via initial .chm 4 | payloads. 5 | status: experimental 6 | references: 7 | - https://www.virustotal.com/gui/file/f0c20d4ea2e2cc1d3c9df58b1a4854f9e3b761b7cd0c26860559289c74a8d50f/behavior/C2AE 8 | - https://tria.ge/220520-cbrbasebb7/behavioral2 9 | - https://www.socinvestigation.com/threat-actors-abuse-microsofts-html-help-file-to-deliver-malware/ 10 | author: '@Kostastsale' 11 | date: 2022/05/24 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection1: 17 | ParentImage|endswith: 18 | - '\hh.exe' 19 | ParentCommandLine|endswith: 20 | - '.chm' 21 | selection2: 22 | Image|endswith: 23 | - '\cmd.exe' 24 | CommandLine|contains: 25 | - ' /c ' 26 | selection3: 27 | Image|endswith: 28 | - '\pwsh.exe' 29 | - '\powershell.exe' 30 | condition: selection1 and (selection2 or selection3) 31 | falsepositives: 32 | - Uknown 33 | level: high 34 | tags: 35 | - attack.Compiled.HTML.File 36 | - attack.T1218.001 37 | -------------------------------------------------------------------------------- /vulnerability_exploitation/VMWare_CVE-2022-22954.yml: -------------------------------------------------------------------------------- 1 | title: Exploitation of VMWare Workspace One Access vulnerability (CVE-2022-22954) 2 | description: Detects possible exploitation vulnerability CVE-2022-22954. As reported by Morphisec, part of the attack chain, 3 | threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat prunsrv.exe process application. 4 | status: experimental 5 | date: 2022/04/25 6 | author: \@kostastsale 7 | references: 8 | - https://blog.morphisec.com/vmware-identity-manager-attack-backdoor 9 | - https://nvd.nist.gov/vuln/detail/CVE-2022-22954 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | detection: 14 | selection1: 15 | ParentImage|endswith: 16 | - '\prunsrv.exe' 17 | Image|endswith: 18 | - '\powershell.exe' 19 | selection2: 20 | ParentImage|endswith: 21 | - '\prunsrv.exe' 22 | Image|endswith: 23 | - '\cmd.exe' 24 | CommandLine|contains: 25 | - 'cmd.exe /c powershell' 26 | condition: selection1 OR selection2 27 | falsepositives: 28 | - Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process. 29 | level: high 30 | tags: 31 | - attack.execution 32 | - attack.T1059.006 33 | - attack.initial_access 34 | - attack.t1190 35 | -------------------------------------------------------------------------------- /windows_exploitation/ms-msdt_exploitation.yml: -------------------------------------------------------------------------------- 1 | title: ms-msdt for RCE CVE-2022-30190 2 | description: Detecting the execution of weaponized maldoc or embedded link in outlook that uses ms-msdt scheme to execute code. 3 | status: experimental 4 | references: 5 | - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ 6 | - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190 7 | - https://twitter.com/nao_sec/status/1530196847679401984 8 | - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e 9 | - https://twitter.com/secforce_ltd/status/1531987722293886978?s=21&t=f6-tesTzFEhR7TSoyTtp8Q 10 | author: '@Kostastsale' 11 | date: 2022/05/29 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection1: 17 | Image|endswith: 18 | - '\msdt.exe' 19 | CommandLine|contains|all: 20 | - 'msdt' 21 | - '/id' 22 | selection2: 23 | CommandLine|contains|all: 24 | - 'IT_BrowseForFile' 25 | - 'IT_LaunchMethod' 26 | selection3: 27 | CommandLine|contains|all: 28 | - '/af' 29 | - '.xml' 30 | condition: selection1 and (selection2 or selection3) 31 | falsepositives: 32 | - Uknown 33 | level: high 34 | tags: 35 | - attack.execution 36 | - attack.T1059.003 37 | - attack.T1204.002 -------------------------------------------------------------------------------- /windows_exploitation/Kerberoasting_Activity.yml: -------------------------------------------------------------------------------- 1 | title: Kerberoasting Activity - Initial query 2 | description: This rule will collect the data needed to start looking into possible kerberoasting activity. 3 | Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards 4 | multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests 5 | and time between the requests to turn this into an alert. 6 | date: 2022/01/21 7 | author: \@kostastsale 8 | references: 9 | - https://www.trustedsec.com/blog/art_of_kerberoast/ 10 | - https://adsecurity.org/?p=3513 11 | logsource: 12 | product: windows 13 | service: security 14 | detection: 15 | selection: 16 | EventID: 17 | 4769 18 | Status: 19 | '0x0' # Translated as status from failure code field. Query only for successes 20 | TicketEncryptionType: 21 | '0x17' # RC4 ticket encryption type 22 | filter: 23 | ServiceName|endswith: 24 | - 'krbtgt' # Ignore requests for the krbtgt service 25 | - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic 26 | TargetUserName|contains: 27 | - '$@' # Ignore requests from machines 28 | condition: selection and not filter 29 | falsepositives: 30 | - Legacy applications 31 | level: medium 32 | -------------------------------------------------------------------------------- /MISC/win-lazagne.yml: -------------------------------------------------------------------------------- 1 | title: Using Lazagne to dump credentials 2 | status: Experimental 3 | description: Detects the use of lazagne looking into the command line execution. 4 | author: \@Kostastsale, \@TheDFIRReport 5 | references: 6 | - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ 7 | - https://github.com/AlessandroZ/LaZagne/blob/master/Windows/lazagne/config/execute_cmd.py 8 | date: 2022/05/09 9 | logsource: 10 | product: windows 11 | category: process_creation 12 | detection: 13 | selection1: 14 | Image|endswith: 15 | - '\cmd.exe' 16 | - '\powershell.exe' 17 | CommandLine|contains|all: 18 | - '/c' 19 | - 'reg.exe' 20 | - 'save' 21 | ParentCommandLine|contains: 22 | - 'all' 23 | selection2: 24 | ParentCommandLine|contains: 25 | - '-oN' 26 | - '-oA' 27 | - '-oJ' 28 | - '-quiet' 29 | - '-output' 30 | CommandLine|contains: 31 | - 'hklm\system' 32 | - 'hklm\security' 33 | - 'hklm\sam' 34 | modules: 35 | Image|endswith: 36 | - '\lazagne.exe' 37 | CommandLine|contains: 38 | - 'browsers' 39 | - 'chats' 40 | - 'databases' 41 | - 'games' 42 | - 'memory' 43 | - 'git' 44 | - 'maven' 45 | - 'sysadmin' 46 | - 'php' 47 | - 'svn' 48 | - 'multimedia' 49 | condition: (selection1 and selection2) or modules 50 | falsepositives: 51 | - Uknown 52 | level: high 53 | tags: 54 | - attack.credential_access 55 | - attack.t1555 -------------------------------------------------------------------------------- /malware/SocGholish_FakeUpdates.yml: -------------------------------------------------------------------------------- 1 | title: FakeUpdates/SocGholish Malware Detection 2 | description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell. 3 | status: experimental 4 | date: 2022/06/16 5 | author: '@kostastsale' 6 | references: 7 | - https://twitter.com/th3_protoCOL/status/1536788652889497600 8 | - https://twitter.com/1ZRR4H/status/1537501582727778304 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection1: 14 | ParentImage|endswith: 15 | - '\wscript.exe' 16 | Image|endswith: 17 | - '\cmd.exe' 18 | CommandLine|contains: 19 | - '/c' 20 | selection2: 21 | ParentImage|endswith: 22 | - '\wscript.exe' 23 | Image|endswith: 24 | - '\powershell.exe' 25 | selection3: 26 | ParentCommandLine|contains|all: 27 | - 'Appdata\Local\Temp' 28 | - '.zip' 29 | - 'update' 30 | - '.js' 31 | selection4: 32 | ParentCommandLine|contains: 33 | - 'Chrome' 34 | - 'Edge' 35 | - 'Firefox' 36 | - 'Opera' 37 | - 'Brave' # Not seen in campaigns 38 | - 'Vivaldi' # Not seen in campaigns 39 | condition: (selection1 or selection2) and selection3 and selection4 40 | falsepositives: 41 | - Unlikely 42 | level: high 43 | tags: 44 | - attack.execution 45 | - attack.T1059.001 46 | -------------------------------------------------------------------------------- /MISC/reg_enabling_rdp.yml: -------------------------------------------------------------------------------- 1 | title: Enabling RDP service via reg.exe command execution 2 | status: Experimental 3 | description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host 4 | author: @Kostastsale, @TheDFIRReport 5 | references: 6 | - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ 7 | date: 2022/02/12 8 | logsource: 9 | product: windows 10 | category: process_creation 11 | detection: 12 | selection1: 13 | Image|endswith: 14 | - '\reg.exe' 15 | CommandLine|contains|all: 16 | - 'add' 17 | - 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' 18 | - 'REG_DWORD' 19 | Winstations1: 20 | CommandLine|contains: 21 | - 'WinStations\RDP-Tcp' 22 | Winstations2: 23 | CommandLine|contains: 24 | - 'MaxInstanceCount' 25 | - 'fEnableWinStation' 26 | selection2: 27 | CommandLine|contains|all: 28 | - 'Licensing Core' 29 | - 'EnableConcurrentSessions' 30 | selection3: 31 | CommandLine|contains: 32 | - 'TSUserEnabled' 33 | - 'TSEnabled' 34 | - 'TSAppCompat' 35 | - 'IdleWinStationPoolCount' 36 | - 'TSAdvertise' 37 | - 'AllowTSConnections' 38 | - 'fSingleSessionPerUser' 39 | condition: selection1 and ((Winstations1 and Winstations2) or (selection2 or selection3)) 40 | falsepositives: 41 | - Uknown 42 | level: high 43 | tags: 44 | - attack.defense_evasion 45 | - attack.lateral_movement 46 | - attack.t1021.001 47 | - attack.t1112 -------------------------------------------------------------------------------- /windows_exploitation/DC_Impersonation.yml: -------------------------------------------------------------------------------- 1 | title: SamAccountName Spoofing and Domain Controller Impersonation 2 | status: experimental 3 | author: \@kostastsale 4 | description: 'This technique is to detect exploitation chain of CVE-2021-42287 (samAccountName Spoofing) and CVE-2021-42278 (Domain Controller Impersonation). 5 | It is looking into event 4781 for evidence of a new computer account creation and account rename that matches the name of a domain controller account without 6 | ending in ‘$’. Computer account names always end with `$` and a change like this is highly unusual. 7 | 8 | Immediately after the 4781 event, a Kerberos Ticket Granting Ticket (TGT) must be requested on behalf of the newly created and renamed computer account. 9 | A computer account name event will occur before this TGT request. 10 | 11 | Putting everything together, we may use events 4781 and 4768 to look for a series of events in which the new computer account on event 4781 matches 12 | the requested account on event 4768. 13 | 14 | NOTE-- On selection2, the `TargetUserName` should equal to `NewTargetUserName`. I have left it as a placeholder but this should change dependingon the backend 15 | you are translating the query to. 16 | 17 | Splunk Example-- `| eval RenamedComputerAccount = coalesce(New_Account_Name, mvindex(Account_Name,0)) 18 | | transaction RenamedComputerAccount endswith=(EventCode=4781)`' 19 | 20 | references: 21 | - https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html 22 | - https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45 23 | - https://www.fortinet.com/blog/threat-research/cve-2021-42278-cve-2021-42287-from-user-to-domain-admin-60-seconds 24 | logsource: 25 | product: windows 26 | service: security 27 | detection: 28 | selection1: 29 | EventID: 4781 30 | OldTargetUserName|endswith: '$' 31 | selection2: 32 | EventID: 4768 33 | TargetUserName: %NewTargetUserName% 34 | filter: 35 | - NewTargetUserName|endswith: '$' 36 | - TargetUserName|endswith: '$' 37 | condition: (selection1 and selection2) and not filter 38 | falsepositives: 39 | - Uknown 40 | level: High 41 | tags: 42 | - attack.privilege_escalation 43 | - attack.t1068 44 | --------------------------------------------------------------------------------