├── 2022 └── 2022-12 │ └── 29-OWASSRF │ └── detections │ └── sigma │ ├── pwsh-reverse-shell.yml │ └── pwsh-spawned-from-w3wp.yml ├── 2023 ├── 2023-02 │ ├── 07-GoAnywhere │ │ └── detections │ │ │ └── sigma │ │ │ └── process-spawned-from-goanywhere-tomcat.yml │ └── 2023-02-09-Qakbot-execution.yml ├── 2023-03 │ ├── 30-3CX │ │ └── tools │ │ │ └── Check-3cxVulnerability.ps1 │ └── cve-23397 │ │ └── win_cve_23397_davclnt_wav.yml ├── 2023-04 │ └── 20-PaperCut │ │ └── win_susp_papercut_code_execution.yml ├── 2023-06 │ └── 1-MOVEit │ │ ├── sigma │ │ └── cve_2023_34362_exploitation.yml │ │ └── yara │ │ └── human2_MOVEit.yar └── 2023-11 │ └── suspicious_child_process_from_activemq.yml ├── 2024 ├── 2024-02 │ └── connectwise │ │ ├── sigma │ │ ├── file_event_exploit_cve_2024_1708_screenconnect_.yml │ │ ├── file_event_win_exploit_cve_2024_1709_database_modification_screenconnect.yml │ │ ├── file_event_win_sysmon_cve_2024_1709_database_modification_screenconnect.yml │ │ └── web_exploit_cve_2024_1709_screenconnect.yml │ │ └── yara │ │ └── web_exploit_cve_2024_1709_screenconnect.yar ├── 2024-04 │ └── macos-lightspy │ │ ├── sigma │ │ └── lightspy_macos_proc_create_shared.yml │ │ └── yara │ │ └── lightspy.yara ├── 2024-07 │ └── boinc │ │ ├── sigma │ │ ├── boinc_signature.yml │ │ ├── powershell_from_headless_conhost.yml │ │ ├── process_no_name.yml │ │ └── renamed_boinc.yml │ │ └── yara │ │ └── boinc.yar ├── 2024-11 │ └── safepay │ │ └── sigma │ │ ├── proc_creation_win_disable_defender_systemsettings_gui.yml │ │ ├── proc_creation_win_disable_defender_threat_protection_settings.yml │ │ ├── proc_creation_win_proxy_exection_cmstplua_interface.yml │ │ ├── proc_creation_win_scripting_interpreter_cmstplua_interface.yml │ │ ├── proc_creation_win_winrar_archive_create_recursive.yml │ │ └── proc_creation_win_winrar_archive_create_volume_size.yml └── 2024-12 │ └── Cleo │ ├── sigma │ ├── win_proc_creation_cleo_exploitation_2024.yml │ └── win_proc_creation_suspicious_powershell_from_javaw.yml │ └── yara │ └── Malichus.yar ├── 2025 ├── 2025-03 │ └── CrushFTP │ │ └── sigma │ │ └── win_proc_creation_shell_child_process_crushftp.yml ├── 2025-04 │ └── CentreStack_CVE-2025-30406 │ │ ├── chainsaw │ │ └── cve-2025-30406_chainsaw_rule.yml │ │ └── sigma │ │ └── windows_susp_exec_from_centrastack_or_triofox.yml └── 2025-05 │ ├── .DS_Store │ ├── Advanced_Critical_Marketing_Research_Intrusion │ ├── windows_mesh_agent_execution.yml │ └── windows_susp_mail_exchanger_enumeration_with_shortened_query_paramter_via_nslookup.yml │ └── defendnot │ ├── sigma │ ├── win_image_load_defendnot_dll_taskmgr.yml │ ├── win_image_load_taskmgr_unsigned.yml │ ├── win_security_defendnot_child_process_taskmgr.yml │ ├── win_security_defendnot_default_scheduled_task_creation.yml │ ├── win_security_defendnot_defender_state_correlation.yml │ ├── win_security_defendnot_file_creation.yml │ ├── win_security_defendnot_process_creation.yml │ ├── win_security_defendnot_updated_scheduled_task.yml │ ├── win_security_modifiy_security_center_registry_key.yml │ └── win_security_process_access_defendnot.yml │ └── yara │ └── defendnot_tool.yar ├── .gitignore ├── LICENSE └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | # macOS junk files 2 | .DS_Store 3 | 4 | # Byte-compiled / optimized / DLL files 5 | __pycache__/ 6 | *.py[cod] 7 | *$py.class 8 | 9 | # C extensions 10 | *.so 11 | 12 | # Distribution / packaging 13 | .Python 14 | build/ 15 | develop-eggs/ 16 | dist/ 17 | downloads/ 18 | eggs/ 19 | .eggs/ 20 | lib/ 21 | lib64/ 22 | parts/ 23 | sdist/ 24 | var/ 25 | wheels/ 26 | pip-wheel-metadata/ 27 | share/python-wheels/ 28 | *.egg-info/ 29 | .installed.cfg 30 | *.egg 31 | MANIFEST 32 | 33 | # PyInstaller 34 | # Usually these files are written by a python script from a template 35 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 36 | *.manifest 37 | *.spec 38 | 39 | # Installer logs 40 | pip-log.txt 41 | pip-delete-this-directory.txt 42 | 43 | # Unit test / coverage reports 44 | htmlcov/ 45 | .tox/ 46 | .nox/ 47 | .coverage 48 | .coverage.* 49 | .cache 50 | nosetests.xml 51 | coverage.xml 52 | *.cover 53 | *.py,cover 54 | .hypothesis/ 55 | .pytest_cache/ 56 | 57 | # Translations 58 | *.mo 59 | *.pot 60 | 61 | # Django stuff: 62 | *.log 63 | local_settings.py 64 | db.sqlite3 65 | db.sqlite3-journal 66 | 67 | # Flask stuff: 68 | instance/ 69 | .webassets-cache 70 | 71 | # Scrapy stuff: 72 | .scrapy 73 | 74 | # Sphinx documentation 75 | docs/_build/ 76 | 77 | # PyBuilder 78 | target/ 79 | 80 | # Jupyter Notebook 81 | .ipynb_checkpoints 82 | 83 | # IPython 84 | profile_default/ 85 | ipython_config.py 86 | 87 | # pyenv 88 | .python-version 89 | 90 | # pipenv 91 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 92 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 93 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 94 | # install all needed dependencies. 95 | #Pipfile.lock 96 | 97 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 98 | __pypackages__/ 99 | 100 | # Celery stuff 101 | celerybeat-schedule 102 | celerybeat.pid 103 | 104 | # SageMath parsed files 105 | *.sage.py 106 | 107 | # Environments 108 | .env 109 | .venv 110 | env/ 111 | venv/ 112 | ENV/ 113 | env.bak/ 114 | venv.bak/ 115 | 116 | # Spyder project settings 117 | .spyderproject 118 | .spyproject 119 | 120 | # Rope project settings 121 | .ropeproject 122 | 123 | # mkdocs documentation 124 | /site 125 | 126 | # mypy 127 | .mypy_cache/ 128 | .dmypy.json 129 | dmypy.json 130 | 131 | # Pyre type checker 132 | .pyre/ 133 | -------------------------------------------------------------------------------- /2022/2022-12/29-OWASSRF/detections/sigma/pwsh-reverse-shell.yml: -------------------------------------------------------------------------------- 1 | title: Pwsh-reverse-shell 2 | id: 19bab1e3-73a8-4330-86a5-cc339c511c18 3 | status: experimental 4 | description: Detects PowerShell reverse shell 5 | references: 6 | - Internal Research 7 | author: Huntress DE&TH Team 8 | date: 2022/12/29 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection_pwsh: 14 | Image|endswith: '\powershell.exe' 15 | selection_cli_1: 16 | CommandLine|contains|all: 17 | - "net.sockets.tcpclient" 18 | - "io.streamwriter" 19 | selection_cli_2: 20 | CommandLine|contains|all: 21 | - "net.sockets.tcpclient" 22 | - "getstream" 23 | condition: selection_pwsh and 1 of selection_cli_* 24 | falsepositives: 25 | - Unknown 26 | level: medium 27 | -------------------------------------------------------------------------------- /2022/2022-12/29-OWASSRF/detections/sigma/pwsh-spawned-from-w3wp.yml: -------------------------------------------------------------------------------- 1 | logsource: 2 | category: process_creation 3 | product: windows 4 | detection: 5 | selection: 6 | - Image|endswith: '\powershell.exe' 7 | - ParentImage|endswith: '\w3wp.exe' 8 | condition: selection 9 | 10 | # Base64 encoded powershell is a clear indication of OWASSRF activity 11 | -------------------------------------------------------------------------------- /2023/2023-02/07-GoAnywhere/detections/sigma/process-spawned-from-goanywhere-tomcat.yml: -------------------------------------------------------------------------------- 1 | title: Process Spawned From GoAnywhere Tomcat 2 | id: 3667b97f-e86c-434b-b70d-88ccaee6854b 3 | status: test 4 | description: Detects processes spawning from tomcat located in the GoAnywhere folder 5 | references: 6 | - https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits 7 | authors: Matt Anderson, Anthony Smith, Kris Luzadre 8 | tags: 9 | - attack.execution 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | detection: 14 | selection: 15 | - ParentImage|endswith: "\\Goanywhere\\tomcat\\bin\\tomcat.exe" 16 | filter: 17 | - Image|endswith: "\\conhost.exe" 18 | condition: selection and not filter 19 | falsepositives: 20 | - Unknown 21 | level: high 22 | -------------------------------------------------------------------------------- /2023/2023-02/2023-02-09-Qakbot-execution.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Qakbot Execution (Rundll32/Powershell) - Feb 2023 2 | id: 848b7a9b-e509-4817-bf43-acffa1eec4d2 3 | status: test 4 | description: Detects suspicious Qakbot execution activity, observed on february 2023. 5 | references: 6 | - https://github.com/embee-research/IOCS/blob/main/2023-02-09-Qakbot.txt 7 | - https://twitter.com/pr0xylife/status/1623378563880652826 8 | authors: Matthew Brennan 9 | tags: 10 | - attack.execution 11 | logsource: 12 | category: process_creation 13 | product: windows 14 | detection: 15 | selection_powershell: 16 | ParentImage|endswith: '\cmd.exe' 17 | ParentCommandLine|contains: 18 | - 'exported' 19 | - 'open.cmd' 20 | - 'GoodOldFile.bat' 21 | Image|endswith: '\powershell.exe' 22 | selection_rundll32: 23 | Image|endswith: '\rundll32.exe' 24 | CommandLine|contains: 'ProgramData' 25 | ParentImage|endswith: '\cmd.exe' 26 | ParentCommandLine|contains: 'public' 27 | selection_renamed: 28 | Image|endswith: '\t.exe' 29 | Image|contains: 'Public' 30 | condition: 1 of selection_* 31 | falsepositives: 32 | - Unknown 33 | level: high 34 | -------------------------------------------------------------------------------- /2023/2023-03/30-3CX/tools/Check-3cxVulnerability.ps1: -------------------------------------------------------------------------------- 1 | # Title: Script to locate 3CX Windows Desktop Application 2 | # Authors: Huntress 3 | # Status: experimental 4 | # Description: Searches user profiles and known installation locations for compromised 3CX Windows Application installs. 5 | # References: https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats 6 | 7 | # Copyright (c) 2023 Huntress Labs, Inc. 8 | # All rights reserved. 9 | # 10 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 11 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 12 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the 13 | # documentation and/or other materials provided with the distribution. 14 | # * Neither the name of the Huntress Labs nor the names of its contributors may be used to endorse or promote products derived from this software 15 | # without specific prior written permission. 16 | # 17 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL HUNTRESS LABS BE LIABLE FOR ANY DIRECT, 19 | # INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 20 | # OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 | # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 | # 23 | 24 | 25 | # look for Program Files 3cx installation 26 | $locations = @() 27 | if (test-path "C:\Program Files\3CXDesktopApp\3CXDesktopApp.exe"){ 28 | $locations += "C:\Program Files\3CXDesktopApp\3CXDesktopApp.exe" 29 | } 30 | if (test-path "C:\Program Files\3CXDesktopApp\Update.exe"){ 31 | $locations += "C:\Program Files\3CXDesktopApp\Update.exe" 32 | } 33 | 34 | $badHash = @( 35 | "a60a61bf844bc181d4540c9fac53203250a982e7c3ad6153869f01e19cc36203", 36 | "5d99efa36f34aa6b43cd81e77544961c5c8d692c96059fef92c2df2624550734", 37 | "54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02", 38 | "d45674f941be3cca2fbc1af42778043cc18cd86d95a2ecb9e6f0e212ed4c74ae" 39 | ) 40 | 41 | # recurse the user folders for 3cx 42 | $users = Get-ChildItem "c:\users\" 43 | foreach ($user in $users) { 44 | if ($user.name -ne "Public") { 45 | if (test-path "C:\users\$($user.name)\AppData\Local\Programs\3CXDesktopApp\3CXDesktopApp.exe"){ 46 | $locations += "C:\users\$($user.name)\AppData\Local\Programs\3CXDesktopApp\3CXDesktopApp.exe" 47 | } 48 | if (test-path "C:\users\$($user.name)\AppData\Local\Programs\3CXDesktopApp\Update.exe"){ 49 | $locations += "C:\users\$($user.name)\AppData\Local\Programs\3CXDesktopApp\Update.exe" 50 | } 51 | } 52 | } 53 | 54 | # now with all the locations stored we can start comparing them to the known bad hash 55 | $badCount = 0 56 | foreach ($location in $locations) { 57 | if ($badHash -contains (Get-FileHash $location).Hash){ 58 | Write-Output "Bad hash found at $($location)" 59 | Write-Output $env:computername 60 | Write-Output $(ipconfig) 61 | $badCount++ 62 | } 63 | } 64 | 65 | if ($badCount -lt 1){ 66 | Write-Output "No bad hashes found at $($env:computername)" 67 | } -------------------------------------------------------------------------------- /2023/2023-03/cve-23397/win_cve_23397_davclnt_wav.yml: -------------------------------------------------------------------------------- 1 | title: Possible CVE-2023-23397 2 | id: 00c2ad6a-fb88-42c9-bc48-57450e33ea0f 3 | status: experimental 4 | description: | 5 | Detects suspicious Rundll32 WebDAV client execution with observed .WAV artifact added to the UNC path. 6 | The .WAV is associated with the value stored in the PidLidReminderFileParameter which determines the audio tone to use in a missed meeting or overdue task. 7 | The UNC path in the attack forces the victim machine to look for the file on a remote server where the victim machine attempts to authenticate -- subsequently leaking NTLM hashes. 8 | references: 9 | - https://www.huntress.com/blog/everything-we-know-about-cve-2023-23397 10 | author: Huntress DE&TH Team 11 | date: 2023/03/16 12 | tags: 13 | - attack.exfiltration 14 | - attack.t1048.003 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | ParentImage|endswith: '\svchost.exe' 21 | Image|endswith: '\rundll32.exe' 22 | CommandLine|contains|all: 23 | - 'C:\windows\system32\davclnt.dll,DavSetCookie' 24 | - '.WAV' 25 | condition: selection 26 | falsepositives: 27 | - unknown 28 | level: high 29 | 30 | -------------------------------------------------------------------------------- /2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml: -------------------------------------------------------------------------------- 1 | title: PaperCut MF/NG Vulnerability 2 | id: 4f315700-6fb5-4284-bfd6-eb8dc9f0928f 3 | status: test 4 | description: Detects suspicious code execution from vulnerable PaperCut versions MF and NG 5 | references: 6 | - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software 7 | author: Huntress DE&TH Team 8 | tags: 9 | - attack.execution 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | detection: 14 | selection: 15 | ParentImage|endswith: "\\pc-app.exe" 16 | Image|endswith: 17 | - "\\cmd.exe" 18 | - "\\powershell.exe" 19 | condition: selection 20 | falsepositives: 21 | - Expected admin activity 22 | level: high 23 | -------------------------------------------------------------------------------- /2023/2023-06/1-MOVEit/sigma/cve_2023_34362_exploitation.yml: -------------------------------------------------------------------------------- 1 | title: MOVEit exploitation CVE-2023-34362 2 | id: a5d2c153-c3b9-4e95-a611-d54b3c12c16f 3 | status: experimental 4 | description: | 5 | MOVEitTransfer is affected by a critical vulnerability CVE-2023-34362. Exploited hosts show evidence of dynamically compliling a DLL, which then executes a script (file path for this temp file is C:\Windows\TEMP\[random]\[random].cmdline) to create a webshell that so far has always been named 'human2.aspx'. 6 | The filepaths 'c:\moveittransfer\wwwroot' and 'C:\Windows\Microsoft\.NET\Framework64\v4\.0\.30319\Temporary ASP\.NET Files\root' should be investigated for recently modified files. 7 | Evidence of exploitation can also be found on the webserver logs for the MOVEit Transfer application. 8 | references: 9 | - https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response 10 | - https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ 11 | - https://nvd.nist.gov/vuln/detail/CVE-2023-34362 12 | - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 13 | author: Huntress DE&TH Team 14 | date: 2023/06/02 15 | tags: 16 | - attack.execution 17 | - attack.t1059 18 | - attack.t1203 19 | logsource: 20 | category: process_creation 21 | product: windows 22 | detection: 23 | selection: 24 | ParentImage|endswith: '\w3wp.exe' 25 | ParentCommandLine|contains: 'moveitdmz pool' 26 | Image|endswith: '\csc.exe' 27 | CommandLine|contains: 'Windows\temp\' 28 | condition: selection 29 | falsepositives: 30 | - Unknown 31 | level: high 32 | -------------------------------------------------------------------------------- /2023/2023-06/1-MOVEit/yara/human2_MOVEit.yar: -------------------------------------------------------------------------------- 1 | rule Malicious_MoveIt_Webshell { 2 | meta: 3 | description = "Rule to identify a specific malicious webshell (human2.aspx) associated with exploitation of the MOVEit vulnerability" 4 | author = "Anthony Smith, Huntress" 5 | 6 | strings: 7 | $aspTag = "<%@" 8 | $misspelling = "azureAccout" wide ascii fullword 9 | //Hard-coded misspelled azureAccout 10 | $requestVariable1 = "X-siLock-Comment" wide ascii fullword 11 | $requestVariable2 = "X-siLock-Step1" wide ascii fullword 12 | $requestVariable3 = "X-siLock-Step2" wide ascii fullword 13 | $requestVariable4 = "X-siLock-Step3" wide ascii fullword 14 | //Request variables are used to interact with multiple parts of the webshell 15 | 16 | condition: 17 | $aspTag at 0 and filesize > 6KB and filesize < 9KB and ($misspelling or $requestVariable1 or $requestVariable2 or $requestVariable3 or $requestVariable4) 18 | } 19 | -------------------------------------------------------------------------------- /2023/2023-11/suspicious_child_process_from_activemq.yml: -------------------------------------------------------------------------------- 1 | title: ActiveMQ Exploitation CVE-2023-46604 2 | id: 73eff0f0-e0fa-4a28-8b71-6287391cf0a2 3 | status: experimental 4 | description: | 5 | Apache ActiveMQ server is affected by a critical vulnerability, CVE-2023-46604. Evidence of exploitation has included suspicious child processes including cmd.exe and curl.exe used to download and execute files. This process normally has very few child processes. 6 | references: 7 | - https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/ 8 | - https://activemq.apache.org/security-advisories.data/CVE-2023-46604 9 | - https://nvd.nist.gov/vuln/detail/CVE-2023-46604 10 | author: Huntress DE&TH Team 11 | date: 2023/11/02 12 | tags: 13 | - attack.initial_access 14 | - attack.execution 15 | - attack.t1190 16 | - attack.t1059 17 | logsource: 18 | category: process_creation 19 | product: windows 20 | detection: 21 | selection: 22 | ParentImage|endswith: '\java.exe' 23 | ParentCommandLine|contains: 24 | - '\apache\' 25 | - 'ActiveMQ' 26 | filter: 27 | Image|endswith: 28 | - '\conhost.exe' 29 | - '\java.exe' 30 | condition: Selection1 and not filter 31 | falsepositives: 32 | - Unknown 33 | level: high 34 | -------------------------------------------------------------------------------- /2024/2024-02/connectwise/sigma/file_event_exploit_cve_2024_1708_screenconnect_.yml: -------------------------------------------------------------------------------- 1 | title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation 2 | id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62 3 | status: experimental 4 | description: This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory. 5 | references: 6 | - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 7 | - https://www.cve.org/CVERecord?id=CVE-2024-1708 8 | - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass 9 | author: Huntress DE&TH Team 10 | date: 2024/02/20 11 | tags: 12 | - attack.initial_access 13 | - attack.persistence 14 | - cve.2024.1709 15 | logsource: 16 | product: windows 17 | service: security 18 | definition: 'Requirements: SACLs must be enabled for the ScreenConnect directory' 19 | detection: 20 | selection: 21 | EventID: 4663 22 | ObjectType: 'File' 23 | ProcessName|contains: 'ScreenConnect.Service.exe' 24 | AccessMask: '0x6' 25 | ObjectName|endswith: 26 | - 'ScreenConnect\\App_Extensions\\*.ashx' 27 | - 'ScreenConnect\\App_Extensions\\*.aspx' 28 | legitimate_path: 29 | ObjectName|contains: 'ScreenConnect\App_Extensions\\*\\' 30 | condition: selection and not legitimate_path 31 | falsepositives: 32 | - Unknown 33 | level: critical 34 | -------------------------------------------------------------------------------- /2024/2024-02/connectwise/sigma/file_event_win_exploit_cve_2024_1709_database_modification_screenconnect.yml: -------------------------------------------------------------------------------- 1 | title: ScreenConnect User Database Modification 2 | id: 4109cb6a-a4af-438a-9f0c-056abba41c6f 3 | status: experimental 4 | description: | 5 | This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. 6 | This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. 7 | This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory. 8 | references: 9 | - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 10 | - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass 11 | - https://www.cve.org/CVERecord?id=CVE-2024-1709 12 | author: Huntress DE&TH Team 13 | date: 2024/02/20 14 | tags: 15 | - cve.2024.1709 16 | logsource: 17 | product: windows 18 | service: security 19 | definition: 'Requirements: SACLs must be enabled for the ScreenConnect directory' 20 | detection: 21 | selection: 22 | EventID: 4663 23 | ObjectType: 'File' 24 | AccessMask: '0x6' 25 | ObjectName|endswith: '.xml' 26 | ObjectName|contains|all: 27 | - 'Temp' 28 | - 'ScreenConnect' 29 | ProcessName|contains: ScreenConnect.Service.exe 30 | condition: selection 31 | falsepositives: 32 | - Unknown 33 | level: medium 34 | -------------------------------------------------------------------------------- /2024/2024-02/connectwise/sigma/file_event_win_sysmon_cve_2024_1709_database_modification_screenconnect.yml: -------------------------------------------------------------------------------- 1 | title: ScreenConnect User Database Modification - Sysmon 2 | id: 1a821580-588b-4323-9422-660f7e131020 3 | status: experimental 4 | description: | 5 | This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. 6 | This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. 7 | This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory. 8 | references: 9 | - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 10 | - https://www.cve.org/CVERecord?id=CVE-2024-1709 11 | - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass 12 | author: Huntress DE&TH Team 13 | date: 2024/02/21 14 | modified: 2024/07/23 15 | tags: 16 | - cve.2024.1709 17 | logsource: 18 | product: windows 19 | category: file_event 20 | definition: 'Requirements: The Advanced Auditing policy is required to log a successful Windows Event ID 4663 events and with a SACL set on the directory.' 21 | detection: 22 | selection: 23 | TargetFilename|endswith: '.xml' 24 | TargetFilename|contains|all: 25 | - 'Temp' 26 | - 'ScreenConnect' 27 | Image|contains: ScreenConnect.Service.exe 28 | condition: selection 29 | falsepositives: 30 | - This will occur legitimately as well and will result in some benign activity. 31 | level: medium 32 | -------------------------------------------------------------------------------- /2024/2024-02/connectwise/sigma/web_exploit_cve_2024_1709_screenconnect.yml: -------------------------------------------------------------------------------- 1 | title: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation 2 | id: d27eabad-9068-401a-b0d6-9eac744d6e67 3 | status: experimental 4 | description: | 5 | Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709. 6 | references: 7 | - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 8 | - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass 9 | - https://www.cve.org/CVERecord?id=CVE-2024-1709 10 | author: Matt Anderson, Huntress 11 | date: 2024/02/20 12 | tags: 13 | - attack.initial_access 14 | - attack.persistence 15 | - cve.2024.1709 16 | logsource: 17 | category: webserver 18 | detection: 19 | selection: 20 | cs-uri-stem|contains: '/SetupWizard.aspx/' 21 | condition: selection 22 | falsepositives: 23 | - Unknown 24 | level: critical 25 | -------------------------------------------------------------------------------- /2024/2024-02/connectwise/yara/web_exploit_cve_2024_1709_screenconnect.yar: -------------------------------------------------------------------------------- 1 | rule ScreenConnect_CVE_2024_1709_Exploitation { 2 | meta: 3 | description = "Detects a GET request to '/SetupWizard.aspx/' with anything following it, which is a potential indicator of compromise of the 2024 ConnectWise ScreenConnect 23.9.8 vulnerability (CWE-288), when found in IIS logs" 4 | author = "Huntress DE&TH Team" 5 | reference = "https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass" 6 | date = "2024-02-20" 7 | id = "2886530b-e164-4c4b-b01e-950e3c40acb4" 8 | strings: 9 | $s1 = "/SetupWizard.aspx/" ascii 10 | 11 | condition: 12 | $s1 13 | } -------------------------------------------------------------------------------- /2024/2024-04/macos-lightspy/sigma/lightspy_macos_proc_create_shared.yml: -------------------------------------------------------------------------------- 1 | title: LightSpy MacOS Malware File Creation Activity 2 | id: 75d6d6fc-026f-11ef-aa62-f23ada0a3aed 3 | status: test 4 | description: Detects the creation of malicious files in the Shared directory used by the LightSpy malware. 5 | author: Stuart Ashenbrenner 6 | references: 7 | - https://huntress.com/blog/lightspy-malware-variant-targeting-macos 8 | date: 2024/04/24 9 | modified: 2024/07/23 10 | tags: 11 | - attack.exfiltration 12 | - attack.t1041 13 | logsource: 14 | category: file_event 15 | product: macos 16 | detection: 17 | selection: 18 | TargetFilename|contains: '/Users/Shared/update.app' 19 | condition: selection 20 | falsepositives: 21 | - None observed 22 | level: high 23 | -------------------------------------------------------------------------------- /2024/2024-04/macos-lightspy/yara/lightspy.yara: -------------------------------------------------------------------------------- 1 | private rule Macho { 2 | meta: 3 | description = "private rule to match Mach-O binaries" 4 | condition: 5 | uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca 6 | 7 | } 8 | 9 | rule MACOS_LIGHTSPY_LOADER_20240422 { 10 | meta: 11 | description = "Detects on the LightSpy loader" 12 | author = "Stuart Ashenbrenner, Alden Schmidt" 13 | date = "2024-04-22" 14 | modified = "2024-04-22" 15 | 16 | reference = "https://huntress.com/blog/lightspy-malware-variant-targeting-macos" 17 | hash1 = "4b973335755bd8d48f34081b6d1bea9ed18ac1f68879d4b0a9211bbab8fa5ff4" 18 | hash2 = "77e983dcde7752278c0fbfc29d92b237c3961de7517d7bcf0877ce83e9b58278" 19 | 20 | strings: 21 | $a0 = "FrameworkLoader" 22 | $a1 = "PLATFORM_MACOS" 23 | $a2 = { 44 6f 77 6e 6c 6f 61 64 65 72 } 24 | 25 | 26 | condition: 27 | Macho and all of them 28 | } 29 | 30 | rule MACOS_LIGHTSPY_IMPLANT_20240422 { 31 | meta: 32 | description = "Detects on the LightSpy implant" 33 | author = "Stuart Ashenbrenner, Alden Schmidt" 34 | date = "2024-04-22" 35 | modified = "2024-04-22" 36 | 37 | reference = "https://huntress.com/blog/lightspy-malware-variant-targeting-macos" 38 | hash1 = "0f66a4daba647486d2c9d838592cba298df2dbf38f2008b6571af8a562bc306c" 39 | 40 | strings: 41 | $a0 = { 52 65 61 6c 54 69 6d 65 43 6d 64 } 42 | $a1 = { 73 65 6c 65 63 74 20 2a 20 66 72 6f 6d 20 74 5f 63 6f 6e 66 69 67 } 43 | $a2 = { 2f 76 61 72 2f 63 6f 6e 74 61 69 6e 65 72 73 2f 42 75 6e 64 6c 65 2f 69 72 63 62 69 6e 2e 70 6c 69 73 74 } 44 | $a3 = { 74 5f 63 6f 6d 6d 61 6e 64 5f 70 6c 61 6e } 45 | $a4 = { 63 6f 6d 2e 61 6c 61 6d 6f 66 69 72 65 2e } 46 | 47 | condition: 48 | Macho and all of them 49 | } 50 | 51 | rule MACOS_LIGHTSPY_AUDIODYLIB_20240422 { 52 | meta: 53 | description = "Detects on the LightSpy libAudioRecorder dylib" 54 | author = "Stuart Ashenbrenner, Alden Schmidt" 55 | date = "2024-04-22" 56 | modified = "2024-04-22" 57 | 58 | reference = "https://huntress.com/blog/lightspy-malware-variant-targeting-macos" 59 | hash1 = "0f662991dbd0568fc073b592f46e60b081eedf0c18313f2c3789e8e3f7cb8144" 60 | 61 | strings: 62 | $path = "/usr/local/lib/libAudioRecorder.dylib" 63 | 64 | $a0 = { 61 72 63 6c 69 74 65 } 65 | $a1 = { 41 75 64 69 6f 52 65 63 6f 72 64 65 72 } 66 | 67 | condition: 68 | Macho and all of them 69 | } 70 | 71 | rule MACOS_LIGHTSPY_BROWSERHISTORYDYLIB_20240422 { 72 | meta: 73 | description = "Detects on the LightSpy libBrowserHistory dylib" 74 | author = "Stuart Ashenbrenner, Alden Schmidt" 75 | date = "2024-04-22" 76 | modified = "2024-04-22" 77 | 78 | reference = "https://huntress.com/blog/lightspy-malware-variant-targeting-macos" 79 | hash1 = "3d6ef4d88d3d132b1e479cf211c9f8422997bfcaa72e55e9cc5d985fd2939e6d" 80 | 81 | strings: 82 | $path = "/usr/local/lib/libBrowserHistory.dylib" 83 | 84 | $a0 = "/Library/Application Support/Google/Chrome/Default/History" 85 | $a1 = "/Library/Safari/History.db" 86 | $a2 = { 42 72 6f 77 73 65 72 48 69 73 74 6f 72 79 } 87 | $a3 = { 61 72 63 6c 69 74 65 } 88 | 89 | condition: 90 | Macho and all of them 91 | } 92 | 93 | rule MACOS_LIGHTSPY_CAMERADYLIB_20240422 { 94 | meta: 95 | description = "Detects on the LightSpy libCameraShot dylib" 96 | author = "Stuart Ashenbrenner, Alden Schmidt" 97 | date = "2024-04-22" 98 | modified = "2024-04-22" 99 | 100 | reference = "https://huntress.com/blog/lightspy-malware-variant-targeting-macos" 101 | hash1 = "18bad57109ac9be968280ea27ae3112858e8bc18c3aec02565f4c199a7295f3a" 102 | 103 | strings: 104 | $path = "/usr/local/lib/libCameraShot.dylib" 105 | 106 | $a0 = { 61 72 63 6c 69 74 65 } 107 | $a1 = { 43 61 6d 65 72 61 53 68 6f 74 } 108 | $a2 = { 54 61 6b 65 50 69 63 74 75 72 65 2e (6d | 68) } 109 | 110 | condition: 111 | Macho and all of them 112 | } 113 | 114 | rule MACOS_LIGHTSPY_FILEMANAGEDYLIB_20240422 { 115 | meta: 116 | description = "Detects on the LightSpy libFileManage dylib" 117 | author = "Stuart Ashenbrenner, Alden Schmidt" 118 | date = "2024-04-22" 119 | modified = "2024-04-22" 120 | 121 | reference = "https://huntress.com/blog/lightspy-malware-variant-targeting-macos" 122 | hash1 = "5fb67d42575151dd2a04d7dda7bd9331651c270d0f4426acd422b26a711156b5" 123 | 124 | strings: 125 | $path = "/usr/local/lib/libFileManage.dylib" 126 | 127 | $a0 = "GetTelegramFileDir" 128 | $a1 = { 46 69 6c 65 4d 61 6e 61 67 65 20 44 6f 77 6e 4c 6f 61 64 46 69 6c 65 } 129 | 130 | condition: 131 | Macho and all of them 132 | } 133 | 134 | rule MACOS_LIGHTSPY_KEYCHAINDYLIB_20240422 { 135 | meta: 136 | description = "Detects on the LightSpy libKeyChains dylib" 137 | author = "Stuart Ashenbrenner, Alden Schmidt" 138 | date = "2024-04-22" 139 | modified = "2024-04-22" 140 | 141 | reference = "https://huntress.com/blog/lightspy-malware-variant-targeting-macos" 142 | hash1 = "65aa91d8ae68e64607652cad89dab3273cf5cd3551c2c1fda2a7b90aed2b3883" 143 | 144 | strings: 145 | $path = "/usr/local/lib/libKeyChains.dylib" 146 | 147 | $a0 = { 6d 61 63 20 4b 65 79 20 43 68 61 69 6e 73 } 148 | $a1 = { 2f 61 70 69 2f 6b 65 79 63 68 61 69 6e } 149 | $a2 = { 6b 53 65 63 41 74 74 72 49 73 73 75 65 72 } 150 | $a3 = "PLATFORM_MACOS" 151 | 152 | condition: 153 | Macho and all of them 154 | } 155 | 156 | rule MACOS_LIGHTSPY_LANDYLIB_20240422 { 157 | meta: 158 | description = "Detects on the LightSpy libLanDevices dylib" 159 | author = "Stuart Ashenbrenner, Alden Schmidt" 160 | date = "2024-04-22" 161 | modified = "2024-04-22" 162 | 163 | reference = "https://huntress.com/blog/lightspy-malware-variant-targeting-macos" 164 | hash1 = "4511567b33915a4c8972ef16e5d7de89de5c6dffe18231528a1d93bfc9acc59f" 165 | 166 | strings: 167 | $path = "/usr/local/lib/libLanDevices.dylib" 168 | 169 | $a0 = "CoreWLAN.framework" 170 | $a1 = { 2f 61 70 69 2f 6c 61 6e 5f 64 65 76 69 63 65 73 } 171 | $a2 = { 4d 61 63 46 69 6e 64 65 72 } 172 | 173 | condition: 174 | Macho and all of them 175 | } 176 | 177 | rule MACOS_LIGHTSPY_PROCESSANDAPPDYLIB_20240422 { 178 | meta: 179 | description = "Detects on the LightSpy libProcessAndApp dylib" 180 | author = "Stuart Ashenbrenner, Alden Schmidt" 181 | date = "2024-04-22" 182 | modified = "2024-04-22" 183 | 184 | reference = "https://huntress.com/blog/lightspy-malware-variant-targeting-macos" 185 | hash1 = "d2ccbf41552299b24f186f905c846fb20b9f76ed94773677703f75189b838f63" 186 | 187 | strings: 188 | $path = "/usr/local/lib/libProcessAndApp.dylib" 189 | 190 | $a0 = { 50 72 6f 67 72 65 73 73 4c 6f 67 2e 6d } 191 | $a1 = { 2f 61 70 69 2f (61 70 70 2f | 70 72 6f 63 65 73 73 2f) } 192 | condition: 193 | Macho and all of them 194 | } 195 | 196 | rule MACOS_LIGHTSPY_SCREENRECORDERDYLIB_20240422 { 197 | meta: 198 | description = "Detects on the LightSpy libScreenRecorder dylib" 199 | author = "Stuart Ashenbrenner, Alden Schmidt" 200 | date = "2024-04-22" 201 | modified = "2024-04-22" 202 | 203 | reference = "https://huntress.com/blog/lightspy-malware-variant-targeting-macos" 204 | hash1 = "7ed786a259982cce0fad8a704547c72690970145b9587d84ee6205b7c578b663" 205 | 206 | strings: 207 | $path = "/usr/local/lib/libScreenRecorder.dylib" 208 | 209 | $a0 = { 2f 78 38 36 5f 36 34 2f 53 63 72 65 65 6e 52 65 63 6f 72 64 65 72 2e 6f } 210 | $a1 = { 00 72 65 63 6f 72 64 20 73 63 72 65 65 6e } 211 | 212 | condition: 213 | Macho and all of them 214 | } 215 | 216 | rule MACOS_LIGHTSPY_SHELLDYLIB_20240422 { 217 | meta: 218 | description = "Detects on the LightSpy libShellCommand dylib" 219 | author = "Stuart Ashenbrenner, Alden Schmidt" 220 | date = "2024-04-22" 221 | modified = "2024-04-22" 222 | 223 | reference = "https://huntress.com/blog/lightspy-malware-variant-targeting-macos" 224 | hash1 = "ac6d34f09fcac49c203e860da00bbbe97290d5466295ab0650265be242d692a6" 225 | 226 | strings: 227 | $path = "/usr/local/lib/libShellCommand.dylib" 228 | 229 | $a0 = { 2f 61 70 69 2f 73 68 65 6c 6c 2f 72 65 73 75 6c 74 } 230 | $a1 = "XXXExeCommand" 231 | $a2 = "GetDeviceID" 232 | 233 | condition: 234 | Macho and all of them 235 | } 236 | 237 | rule MACOS_LIGHTSPY_WIFIDYLIB_20240422 { 238 | meta: 239 | description = "Detects on the LightSpy libWifiList dylib" 240 | author = "Stuart Ashenbrenner, Alden Schmidt" 241 | date = "2024-04-22" 242 | modified = "2024-04-22" 243 | 244 | reference = "https://huntress.com/blog/lightspy-malware-variant-targeting-macos" 245 | hash1 = "fc7e77a56772d5ff644da143718ee7dbaf7a1da37cceb446580cd5efb96a9835" 246 | 247 | strings: 248 | $path = "/usr/local/lib/libWifiList.dylib" 249 | 250 | $a0 = { 2f 61 70 69 2f 77 69 66 69 5f (63 6f 6e 6e 65 63 74 69 6f 6e 2f | 6e 65 61 72 62 79 2f) } 251 | $a1 = { 57 50 41 [1] 2d 50 53 4b } 252 | 253 | condition: 254 | Macho and all of them 255 | } 256 | -------------------------------------------------------------------------------- /2024/2024-07/boinc/sigma/boinc_signature.yml: -------------------------------------------------------------------------------- 1 | title: Potential BOINC Software Execution (UC-Berkeley Signature) 2 | id: 0090b851-3543-42db-828c-02fee986ff0b 3 | status: test 4 | description: Detects the use of software that is signed by the University of California, Berkeley. This indicates it may be related to BOINC software and can be used maliciously if unauthorized. 5 | references: 6 | - https://boinc.berkeley.edu/ 7 | - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software 8 | author: Matt Anderson (Huntress) 9 | date: 2024/07/15 10 | modified: 2024/07/23 11 | tags: 12 | - attack.execution 13 | - attack.defense_evasion 14 | - attack.t1553 15 | logsource: 16 | category: process_creation 17 | product: windows 18 | detection: 19 | selection: 20 | Description: 'University of California, Berkeley' 21 | condition: selection 22 | falsepositives: 23 | - This software can be used for legitimate purposes when installed intentionally. 24 | level: informational 25 | -------------------------------------------------------------------------------- /2024/2024-07/boinc/sigma/powershell_from_headless_conhost.yml: -------------------------------------------------------------------------------- 1 | title: Powershell From Headless Conhost 2 | id: 056c7317-9a09-4bd4-9067-d051312752ea 3 | status: test 4 | description: Detects the use of powershell commands from headless conhost window. The "--headless" flag hides the windows from the user upon execution. 5 | references: 6 | - https://attack.mitre.org/tactics/TA0005/ 7 | - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software 8 | author: Matt Anderson (Huntress) 9 | date: 2024/07/15 10 | tags: 11 | - attack.defense_evasion 12 | - attack.t1059.001 13 | - attack.t1059.003 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | Image|endswith: '\conhost.exe' 20 | CommandLine|contains|all: 21 | - "--headless" 22 | - "powershell" 23 | condition: selection 24 | falsepositives: 25 | - Unknown 26 | level: medium 27 | -------------------------------------------------------------------------------- /2024/2024-07/boinc/sigma/process_no_name.yml: -------------------------------------------------------------------------------- 1 | title: Process with No Name 2 | id: f208d6d8-d83a-4c2c-960d-877c37da84e5 3 | status: test 4 | description: Detect use of processes with no name (".exe"), which can be used to evade Image-based detections. 5 | references: 6 | - https://attack.mitre.org/tactics/TA0005/ 7 | - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software 8 | author: Matt Anderson (Huntress) 9 | date: 2024/07/15 10 | tags: 11 | - attack.defense_evasion 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '.exe' 18 | condition: selection 19 | falsepositives: 20 | - Legitimate software (rare) 21 | level: medium 22 | -------------------------------------------------------------------------------- /2024/2024-07/boinc/sigma/renamed_boinc.yml: -------------------------------------------------------------------------------- 1 | title: Renamed BOINC Client 2 | id: 30d07da2-83ab-45d8-ae75-ec7c0edcaffc 3 | status: test 4 | description: Detects the use of BOINC software that has a process name other than "BOINC.exe". 5 | references: 6 | - https://boinc.berkeley.edu/ 7 | - https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details 8 | - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software 9 | author: Matt Anderson (Huntress) 10 | date: 2024/07/15 11 | tags: 12 | - attack.defense_evasion 13 | - attack.t1553 14 | logsource: 15 | category: process_creation 16 | product: windows 17 | detection: 18 | selection: 19 | OriginalFileName: 'BOINC.exe' 20 | filter: 21 | Image|endswith: '\BOINC.exe' 22 | condition: selection and not filter 23 | falsepositives: 24 | - Unknown 25 | level: medium 26 | -------------------------------------------------------------------------------- /2024/2024-07/boinc/yara/boinc.yar: -------------------------------------------------------------------------------- 1 | rule BOINC Signature { 2 | meta: 3 | description = "Detects a signature from University of California, Berkeley, indicating it may be related to BOINC software" 4 | author = "Matt Anderson (Huntress)" 5 | reference = "https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details" 6 | date = "2024-07-15" 7 | id = "a4d7a953-222f-4211-ac87-3d2572b6fd53" 8 | 9 | condition: 10 | pe.signatures.subject contains "University of California, Berkeley" 11 | } -------------------------------------------------------------------------------- /2024/2024-11/safepay/sigma/proc_creation_win_disable_defender_systemsettings_gui.yml: -------------------------------------------------------------------------------- 1 | title: Windows Defender Threat Protection Settings Disabled via GUI 2 | id: 87c21d4e-e312-4f0b-ab86-f9b8e60dd68e 3 | status: experimental 4 | description: Detects when a user disables Defender settings via GUI. This can be used by adversaries to impair defenses. 5 | references: 6 | - http://www.huntress.com/blog/its-not-safe-to-pay-safepay 7 | - https://www.huntress.com/blog/lolbin-to-inc-ransomware 8 | author: Matt Anderson (Huntress) 9 | date: 2024-11-01 10 | tags: 11 | - attack.defense-evasion 12 | - attack.t1562 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection_img: 18 | - Image|endswith: '\SystemSettingsAdminFlows.exe' 19 | - OriginalFileName: 'SystemSettingsAdminFlows.EXE' 20 | selection_parent_img: 21 | - ParentImage|endswith: '\SystemSettings.exe' 22 | selection_cli: 23 | CommandLine|contains: 24 | - 'Defender DisableEnhancedNotifications 1' 25 | - 'Defender SubmitSamplesConsent 0' 26 | - 'Defender SpynetReporting 0' 27 | - 'Defender RTP 1' 28 | condition: all of selection_* 29 | falsepositives: 30 | - May be turned off by a user or admin for legitimate purposes. 31 | level: medium -------------------------------------------------------------------------------- /2024/2024-11/safepay/sigma/proc_creation_win_disable_defender_threat_protection_settings.yml: -------------------------------------------------------------------------------- 1 | title: Windows Defender Threat Protection Settings Disabled 2 | id: ad44351e-89c4-4b1c-8cb0-676c55bf11ce 3 | status: stable 4 | description: Detects when a user disables Defender settings without using the Settings GUI. This can be used by adversaries to impair defenses. 5 | references: 6 | - https://www.huntress.com/blog/lolbin-to-inc-ransomware 7 | author: Alden Schmidt, Matt Anderson 8 | date: 2024-08-20 9 | tags: 10 | - attack.defense-evasion 11 | - attack.t1562 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection_img: 17 | - Image|endswith: '\SystemSettingsAdminFlows.exe' 18 | - OriginalFileName: 'SystemSettingsAdminFlows.EXE' 19 | filter_parent_img: 20 | - ParentImage|endswith: '\SystemSettings.exe' 21 | selection_cli: 22 | CommandLine|contains: 23 | - 'Defender DisableEnhancedNotifications 1' 24 | - 'Defender SubmitSamplesConsent 0' 25 | - 'Defender SpynetReporting 0' 26 | - 'Defender RTP 1' 27 | condition: all of selection_* and not filter_parent_img 28 | falsepositives: 29 | - May be turned off by a user or admin for legitimate purposes. 30 | level: medium -------------------------------------------------------------------------------- /2024/2024-11/safepay/sigma/proc_creation_win_proxy_exection_cmstplua_interface.yml: -------------------------------------------------------------------------------- 1 | title: System Binary Proxy Execution Using CMSTPLUA COM Interface 2 | id: b77542ea-151a-4c9d-b2eb-8b39adfbadea 3 | status: experimental 4 | description: Detects the use of a CMSTPLUA elevated COM Interface to execute a system binary that can be used for proxy execution. Using this COM Interface bypasses UAC, and 5 | has been used by numerous threat actors to execute ransomware and other malware. 6 | author: Matt Anderson (Huntress) 7 | references: 8 | - https://www.securityinbits.com/malware-analysis/uac-bypass-analysis-stage-1-ataware-ransomware-part-2/ 9 | - https://gist.github.com/hfiref0x/196af729106b780db1c73428b5a5d68d 10 | - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a 11 | - https://www.varonis.com/blog/blackcat-ransomware 12 | - https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies 13 | - http://www.huntress.com/blog/its-not-safe-to-pay-safepay 14 | date: 2024-11-01 15 | tags: 16 | - attack.defense-evasion 17 | - attack.privilege-escalation 18 | - attack.execution 19 | - attack.t1548.002 20 | - attack.t1218 21 | - attack.t1559.001 22 | logsource: 23 | category: process_creation 24 | product: windows 25 | detection: 26 | selection_parent: 27 | ParentImage|endswith: '\dllhost.exe' 28 | ParentCommandLine|contains: 'Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' 29 | selection_system_binary: 30 | Image|endswith: 31 | - '\rundll32.exe' 32 | - '\regsvr32.exe' 33 | - '\mshta.exe' 34 | - '\msiexec.exe' 35 | - '\hh.exe' 36 | - '\control.exe' 37 | - '\cmstp.exe' 38 | - '\installutil.exe' 39 | - '\odbcconf.exe' 40 | - '\regsvcs.exe' 41 | - '\regasm.exe' 42 | - '\verclsid.exe' 43 | - '\mavinject.exe' 44 | - '\mmc.exe' 45 | condition: all of selection_* 46 | falsepositives: 47 | - Some legitimate applications may use this occasionally 48 | level: high 49 | -------------------------------------------------------------------------------- /2024/2024-11/safepay/sigma/proc_creation_win_scripting_interpreter_cmstplua_interface.yml: -------------------------------------------------------------------------------- 1 | title: Scripting Interpreter Execution Using CMSTPLUA COM Interface 2 | id: d4e9ed08-5356-4cb4-884f-a024d6ac3704 3 | status: experimental 4 | description: Detects the use of a CMSTPLUA elevated COM Interface to execute a scripting interpreter to launch scripts or commands. Using this COM Interface bypasses UAC, and 5 | has been used by numerous threat actors to execute ransomware and other malware. 6 | author: Matt Anderson (Huntress) 7 | references: 8 | - https://www.securityinbits.com/malware-analysis/uac-bypass-analysis-stage-1-ataware-ransomware-part-2/ 9 | - https://gist.github.com/hfiref0x/196af729106b780db1c73428b5a5d68d 10 | - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a 11 | - https://www.varonis.com/blog/blackcat-ransomware 12 | - https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies 13 | - http://www.huntress.com/blog/its-not-safe-to-pay-safepay 14 | date: 2024-11-01 15 | tags: 16 | - attack.defense-evasion 17 | - attack.privilege-escalation 18 | - attack.execution 19 | - attack.t1548.002 20 | - attack.t1218 21 | - attack.t1559.001 22 | logsource: 23 | category: process_creation 24 | product: windows 25 | detection: 26 | selection_parent: 27 | ParentImage|endswith: '\dllhost.exe' 28 | ParentCommandLine|contains: 'Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' 29 | selection_interpreter: 30 | - Image|endswith: 31 | - '\cmd.exe' 32 | - '\powershell.exe' 33 | - '\wscript.exe' 34 | - '\pwsh.exe' 35 | - '\powershell_ise.exe' 36 | - OriginalFileName: 37 | - 'Cmd.Exe' 38 | - 'PowerShell.EXE' 39 | - 'pwsh.dll' 40 | - 'wscript.exe' 41 | - 'powershell_ise.EXE' 42 | condition: all of selection_* 43 | falsepositives: 44 | - Some legitimate applications may use this occasionally 45 | level: high 46 | 47 | -------------------------------------------------------------------------------- /2024/2024-11/safepay/sigma/proc_creation_win_winrar_archive_create_recursive.yml: -------------------------------------------------------------------------------- 1 | title: Create WinRAR Archive - Recurse Subfolders 2 | id: 116f209c-43a5-4581-a491-86dbdd3f57ec 3 | status: experimental 4 | description: Detects the use of winrar.exe commands to recurse subfolders. This may indicate a threat actor looking to archive all files within a directory without specificity, which is highly uncommon. 5 | references: 6 | - https://ss64.com/bash/rar.html 7 | - https://documentation.help/WinRAR/HELPSwV.htm 8 | - https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/ 9 | - https://www.cybereason.com/blog/research/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers 10 | - https://cloud.google.com/blog/topics/threat-intelligence/turla-galaxy-opportunity/ 11 | - http://www.huntress.com/blog/its-not-safe-to-pay-safepay 12 | author: Matt Anderson, Craig Sweeney (Huntress) 13 | date: 2024-11-13 14 | tags: 15 | - attack.collection 16 | - attack.t1560.001 17 | logsource: 18 | category: process_creation 19 | product: windows 20 | detection: 21 | selection_img: 22 | - Image|endswith: 23 | - \rar.exe 24 | - \winrar.exe 25 | - OriginalFileName: WinRAR.exe 26 | selection_other: 27 | CommandLine|contains|all: 28 | - ' -r' 29 | - ' a ' 30 | condition: all of selection_* 31 | falsepositives: 32 | - Legitimate use of Winrar command line version 33 | - Other command line tools or software that use these flags 34 | level: medium -------------------------------------------------------------------------------- /2024/2024-11/safepay/sigma/proc_creation_win_winrar_archive_create_volume_size.yml: -------------------------------------------------------------------------------- 1 | title: Create WinRAR Archive - Specify Volume Size 2 | id: 70580f07-a998-419f-bb5d-2a2fc4a87f7b 3 | status: experimental 4 | description: Detects the use of winrar.exe commands to create an archive with a specific volume size. This may indicate a threat actor increasing the size of the volume to prevent making separate files. 5 | references: 6 | - https://ss64.com/bash/rar.html 7 | - https://documentation.help/WinRAR/HELPSwV.htm 8 | - https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry 9 | - https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/ 10 | - http://www.huntress.com/blog/its-not-safe-to-pay-safepay 11 | author: Matt Anderson, Craig Sweeney (Huntress) 12 | date: 2024-11-13 13 | tags: 14 | - attack.collection 15 | - attack.t1560.001 16 | logsource: 17 | category: process_creation 18 | product: windows 19 | detection: 20 | selection_img: 21 | - Image|endswith: 22 | - \rar.exe 23 | - \winrar.exe 24 | - OriginalFileName: WinRAR.exe 25 | selection_other: 26 | CommandLine|contains|all: 27 | - ' -v*' 28 | - ' a ' 29 | condition: all of selection_* 30 | falsepositives: 31 | - Legitimate use of Winrar command line version 32 | - Other command line tools or software that use these flags 33 | level: high -------------------------------------------------------------------------------- /2024/2024-12/Cleo/sigma/win_proc_creation_cleo_exploitation_2024.yml: -------------------------------------------------------------------------------- 1 | title: Possible Cleo MFT Exploitation 2024 2 | id: f007b877-02e3-45b7-8501-1b78c2864029 3 | status: experimental 4 | description: Detects Powershell spawned from Cleo software. Evidence of unknown threat actor exploiting the CLEO tooling using this pattern observed in Dec 2024. 5 | author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson 6 | references: 7 | - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild 8 | date: 2024/12/09 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection: 14 | ParentImage|endswith: '\javaw.exe' 15 | Image|endswith: '\cmd.exe' 16 | CommandLine|contains: 17 | - 'powershell' 18 | - ' -NonInteractive' 19 | - ' -noni ' 20 | - ' -enc ' 21 | - ' -EncodedCommand' 22 | ParentCommandLine|contains: 23 | - 'VLTrader' 24 | - 'lexicom' 25 | - 'Harmony' 26 | - 'VersaLex' 27 | 28 | condition: selection 29 | falsepositives: 30 | - Unknown 31 | level: high 32 | -------------------------------------------------------------------------------- /2024/2024-12/Cleo/sigma/win_proc_creation_suspicious_powershell_from_javaw.yml: -------------------------------------------------------------------------------- 1 | title: Javaw Spawning Suspicious Powershell Commands 2 | id: a0ec945f-2328-40e9-96f6-27dadf72861b 3 | status: experimental 4 | description: Detects Javaw spawning suspicious powershell commands. This has been observed as possible post-exploitation activity of Cleo software. 5 | author: Chad Hudson, Matt Anderson 6 | references: 7 | - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild 8 | date: 2024/12/09 9 | logsource: 10 | category: process_creation 11 | product: windows 12 | detection: 13 | selection: 14 | ParentImage|endswith: 15 | - '\javaw.exe' 16 | Image|endswith: 17 | - '\cmd.exe' 18 | cmdline: 19 | CommandLine|contains: 20 | - ' -nop' 21 | - ' -noni' 22 | - ' -NonInteractive' 23 | - ' -w hidden ' 24 | - ' -windowstyle hidden*' 25 | - '(New-Object Net.WebClient).Download*' 26 | - ' -enc ' 27 | - ' -EncodedCommand ' 28 | powershell: 29 | CommandLine|contains: powershell 30 | condition: selection and cmdline and powershell 31 | falsepositives: 32 | - Unknown 33 | -------------------------------------------------------------------------------- /2024/2024-12/Cleo/yara/Malichus.yar: -------------------------------------------------------------------------------- 1 | /* 2 | YARA Rule Set 3 | Author: Jai Minton, Alden Schmidt - Huntress 4 | Date: 2024-12-11 5 | Identifier: Malichus 6 | Reference: https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis 7 | */ 8 | 9 | /* Rule Set ----------------------------------------------------------------- */ 10 | 11 | rule Malichus_SFile { 12 | meta: 13 | description = "Malichus - file SFile.class" 14 | author = "Jai Minton, Alden Schmidt - Huntress" 15 | reference = "https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis" 16 | date = "2024-12-11" 17 | hash1 = "57ec6d8891c95a259636380f7d8b8f4f8ac209bc245d602bfa9014a4efd2c740" 18 | id = "93f23528-cd17-4606-93a8-395e8d94b911" 19 | strings: 20 | $s1 = "FAILED: File not exists or not readable" fullword ascii 21 | $s2 = "SFile.java" fullword ascii 22 | $s3 = "svdSize" fullword ascii 23 | $s4 = "fStop" fullword ascii 24 | $s5 = "FileOutputStream;" fullword ascii 25 | $s6 = "good" fullword ascii 26 | $s7 = "FileInputStream;" fullword ascii 27 | condition: 28 | uint32(0) == 0xbebafeca and filesize < 50KB and 29 | 4 of them 30 | } 31 | 32 | rule Malichus_Proc { 33 | meta: 34 | description = "Malichus - file Proc.class" 35 | author = "Jai Minton, Alden Schmidt - Huntress" 36 | reference = "https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis" 37 | date = "2024-12-11" 38 | hash1 = "1ba95af21bac45db43ebf02f87ecedde802c7de4d472f33e74ee0a5b5015a726" 39 | id = "ca6746b8-1b9f-46e5-9ffb-138414e7a26d" 40 | strings: 41 | $s1 = "chid" fullword ascii 42 | $s2 = "fStop" fullword ascii 43 | $s3 = "Timeout getting pipe-data" fullword ascii 44 | $s4 = "Ftprootpath" fullword ascii 45 | $s5 = "getTextContent" fullword ascii 46 | $s6 = "hostfile" fullword ascii 47 | $s7 = "getErrorStream" fullword ascii 48 | $s8 = "exec 2>&1" fullword ascii 49 | $s9 = "%username%" fullword ascii 50 | $s10 = "pipeDataLen=" fullword ascii 51 | $s11 = "ishell" fullword ascii 52 | $s12 = "pipeBuf" fullword ascii 53 | $s13 = "pipeDataLen" fullword ascii 54 | $s14 = "getNodeVal" fullword ascii 55 | $s15 = "loadOptions" fullword ascii 56 | $s16 = "confParser" fullword ascii 57 | $s18 = "readable" fullword ascii 58 | $s19 = "Rest cmd=" fullword ascii 59 | $s20 = "getAttr" fullword ascii 60 | $s21 = "prs-conf" fullword ascii 61 | $s22 = "conf/Top.xml" ascii 62 | $s23 = "conf/Options.xml" ascii 63 | condition: 64 | uint32(0) == 0xbebafeca and filesize < 50KB and 65 | 8 of them 66 | } 67 | 68 | rule Malichus_Slot { 69 | meta: 70 | description = "Malichus - file Slot.class" 71 | author = "Jai Minton, Alden Schmidt - Huntress" 72 | reference = "https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis" 73 | date = "2024-12-11" 74 | hash1 = "1e351bb7f6e105a3eaa1a0840140ae397e0e79c2bdc69d5e1197393fbeefc29b" 75 | id = "02908c30-6ba9-4d71-9f06-b876a2b0ebcd" 76 | strings: 77 | $s1 = "Slot.java" fullword ascii 78 | $s2 = "channel" fullword ascii 79 | $s3 = "connect" fullword ascii 80 | $s4 = "interestOps" fullword ascii 81 | $s5 = "evWrite" fullword ascii 82 | $s6 = "evConnect" fullword ascii 83 | $s7 = "evRead" fullword ascii 84 | $s8 = "chid" fullword ascii 85 | $s9 = "fStop" fullword ascii 86 | condition: 87 | uint32(0) == 0xbebafeca and filesize < 50KB and 88 | 5 of them 89 | } 90 | 91 | rule Malichus_DwnLevel { 92 | meta: 93 | description = "Malichus - file DwnLevel.class" 94 | author = "Jai Minton, Alden Schmidt - Huntress" 95 | reference = "https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis" 96 | date = "2024-12-11" 97 | hash1 = "f80634ce187ad4834d8f68ac7c93500d9da69ee0a7c964df1ffc8db1b6fff5a9" 98 | id = "450bc40c-9e0d-4c00-a000-c612a78de1cb" 99 | strings: 100 | $s1 = "DwnLevel.java" fullword ascii 101 | $s2 = "DwnLevel" fullword ascii 102 | $s3 = "files" fullword ascii 103 | $s4 = "state" fullword ascii 104 | $s5 = "LineNumberTable" fullword ascii 105 | condition: 106 | uint32(0) == 0xbebafeca and filesize < 50KB and 107 | all of them 108 | } 109 | 110 | rule Malichus_Dwn { 111 | meta: 112 | description = "Malichus - file Dwn.class" 113 | author = "Jai Minton, Alden Schmidt - Huntress" 114 | reference = "https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis" 115 | date = "2024-12-11" 116 | hash1 = "429d24e3f30c7e999033c91f32b108db48d669fde1c3fa62eff9da2697ed078e" 117 | id = "5a59f469-e61e-4088-ad46-060e66a56fb0" 118 | strings: 119 | $s1 = "getCurrZipSize" fullword ascii 120 | $s2 = "listFiles" fullword ascii 121 | $s3 = "Signature" fullword ascii 122 | $s4 = "remove" fullword ascii 123 | $s5 = "SrvSlot" fullword ascii 124 | $s6 = "DwnLevel" fullword ascii 125 | $s7 = "currZipSize" fullword ascii 126 | $s8 = "putNextEntry" fullword ascii 127 | $s9 = "addFile ex=" fullword ascii 128 | $s10 = "Dwn.java" fullword ascii 129 | $s11 = "tmLastStatSend" fullword ascii 130 | $s12 = "rdbuf" fullword ascii 131 | $s13 = "zipNum" fullword ascii 132 | $s14 = "PK_DWN" fullword ascii 133 | condition: 134 | uint32(0) == 0xbebafeca and filesize < 50KB and 135 | 8 of them 136 | } 137 | 138 | rule Malichus_Cli { 139 | meta: 140 | description = "Malichus - file Cli.class" 141 | author = "Jai Minton, Alden Schmidt - Huntress" 142 | reference = "https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis" 143 | date = "2024-12-11" 144 | hash1 = "6499e67082b9f1b5553b0f561d2c359b452ca16eb98582904c9f1aa70ebb9d07" 145 | id = "3f3b4d97-5a30-46dc-b339-d01b2330cdec" 146 | strings: 147 | $s1 = "+powershell -Noninteractive -EncodedCommand " fullword ascii 148 | $s2 = "getHostName" fullword ascii 149 | $s3 = "getLocalHost" fullword ascii 150 | $s4 = "sleep 3;rm -f '" fullword ascii 151 | $s5 = "runDelFileCmd" fullword ascii 152 | $s6 = "getEncoder" fullword ascii 153 | $s7 = "selectedKeys" fullword ascii 154 | $s8 = "getCanonicalFile" fullword ascii 155 | $s9 = "hostname" fullword ascii 156 | $s10 = "connect" fullword ascii 157 | $s11 = "remove" fullword ascii 158 | $s12 = "SrvSlot" fullword ascii 159 | $s13 = "fIsWin" fullword ascii 160 | $s14 = "cliid" fullword ascii 161 | $s15 = "Cli.java" fullword ascii 162 | $s16 = "fStop" fullword ascii 163 | $s17 = "os.name" fullword ascii 164 | condition: 165 | uint32(0) == 0xbebafeca and filesize < 50KB and 166 | 10 of them 167 | } 168 | 169 | rule Malichus_SrvSlot { 170 | meta: 171 | description = "Malichus - file SrvSlot.class" 172 | author = "Jai Minton, Alden Schmidt - Huntress" 173 | reference = "https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis" 174 | date = "2024-12-11" 175 | hash1 = "f4e5a6027b25ede93b10e132d5f861ed7cca1df7e36402978936019930e52a16" 176 | id = "b4296d26-46f7-4917-afa2-5dd8ee1672ca" 177 | strings: 178 | $s1 = "prsHelloPkt" fullword ascii 179 | $s2 = "pktHello" fullword ascii 180 | $s3 = "HELLO dwn_id=" fullword ascii 181 | $s4 = "getDWORD" fullword ascii 182 | $s5 = "outpkts" fullword ascii 183 | $s6 = "--- connect inPktNum=" fullword ascii 184 | $s7 = " RESET session savedZipData.size=" fullword ascii 185 | $s8 = "inpktNum=%d inpktNumConf=%d d=%d" fullword ascii 186 | $s9 = "Ticks=%d SrvSlotFull=%d SvZipDataOverflow=%d OpNotConf=%d" fullword ascii 187 | $s10 = "*LastZipDid=%d LastZipNum=%d LastZipOff=%d" fullword ascii 188 | $s11 = "opNum=%d opNumConf=%d d=%d" fullword ascii 189 | $s12 = "internalCmds" fullword ascii 190 | $s13 = "SrvSlot.java" fullword ascii 191 | $s14 = "tmLastRead" fullword ascii 192 | $s15 = "nAddFileEx=%d nSlowTicks=%d" fullword ascii 193 | $s16 = "savedZipData.size=%d" fullword ascii 194 | $s17 = "crKey" fullword ascii 195 | $s18 = "icri" fullword ascii 196 | $s19 = "ocri" fullword ascii 197 | $s20 = "icrs" fullword ascii 198 | $s21 = "ocrs" fullword ascii 199 | $s22 = "dbgTicks" fullword ascii 200 | $s23 = "dbgSrvSlotFull" fullword ascii 201 | $s24 = "dbgSvZipDataOverflow" fullword ascii 202 | $s25 = "dbgOpNotConf" fullword ascii 203 | condition: 204 | uint32(0) == 0xbebafeca and filesize < 50KB and 205 | 8 of them 206 | } 207 | 208 | rule Malichus_ScSlot { 209 | meta: 210 | description = "Malichus - file ScSlot.class" 211 | author = "Jai Minton, Alden Schmidt - Huntress" 212 | reference = "https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis" 213 | date = "2024-12-11" 214 | hash1 = "87f7627e98c27620dd947e8dd60e5a124fdd3bb7c0f5957f0d8f7da6d0f90dee" 215 | id = "ea4069e2-4e00-482c-88e4-985f8080a7f2" 216 | strings: 217 | $s1 = "ScSlot.java" fullword ascii 218 | $s2 = "connect" fullword ascii 219 | $s3 = "SrvSlot" fullword ascii 220 | $s4 = "evConnect" fullword ascii 221 | $s5 = "evRead" fullword ascii 222 | $s6 = "pktCloseChannel" fullword ascii 223 | $s7 = "isFull" fullword ascii 224 | $s8 = "ScSlot" fullword ascii 225 | $s9 = "inbuf" fullword ascii 226 | condition: 227 | uint32(0) == 0xbebafeca and filesize < 50KB and 228 | 6 of them 229 | } 230 | 231 | rule Malichus_Mos { 232 | meta: 233 | description = "Classes - file Mos.class" 234 | author = "Jai Minton, Alden Schmidt - Huntress" 235 | reference = "https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis" 236 | date = "2024-12-11" 237 | hash1 = "0b7b1b24f85a0107829781b10d08432db260421a7727230f1d3caa854370cb81" 238 | id = "9fbf893f-211f-4cd9-b6d5-879827944119" 239 | strings: 240 | $s1 = "SrvSlot" fullword ascii 241 | $s2 = "setDWORD" fullword ascii 242 | $s3 = "Mos.java" fullword ascii 243 | $s4 = "zipNum" fullword ascii 244 | $s5 = "ibuf" fullword ascii 245 | $s6 = "setB3" fullword ascii 246 | condition: 247 | uint32(0) == 0xbebafeca and filesize < 50KB and 248 | 4 of them 249 | } 250 | 251 | /* Super Rules */ 252 | 253 | rule Malichus_Dwn_SrvSlot { 254 | meta: 255 | description = "Malichus - from files Dwn.class, SrvSlot.class" 256 | author = "Jai Minton, Alden Schmidt - Huntress" 257 | reference = "https://www.huntress.com/blog/cleo-software-vulnerability-malware-analysis" 258 | date = "2024-12-11" 259 | hash1 = "429d24e3f30c7e999033c91f32b108db48d669fde1c3fa62eff9da2697ed078e" 260 | hash2 = "f4e5a6027b25ede93b10e132d5f861ed7cca1df7e36402978936019930e52a16" 261 | id = "97143307-0d09-46c4-a4b5-6672eb87814a" 262 | strings: 263 | $s1 = "pkt_zipdata" fullword ascii 264 | $s2 = "nSlowTicks" fullword ascii 265 | $s3 = "setStat" fullword ascii 266 | $s4 = "nAddFileEx" fullword ascii 267 | $s5 = "currentTimeMillis" fullword ascii 268 | condition: 269 | ( uint32(0) == 0xbebafeca and filesize < 50KB and ( all of them ) 270 | ) or ( all of them ) 271 | } 272 | -------------------------------------------------------------------------------- /2025/2025-03/CrushFTP/sigma/win_proc_creation_shell_child_process_crushftp.yml: -------------------------------------------------------------------------------- 1 | title: Shell Process from CrushFTP 2 | id: 459628e3-1b00-4e9b-9e5b-7da8961aea35 3 | status: experimental 4 | description: Detects execution of a shell process with CrushFTP as a parent process. May indicate post-exploitation of a vulnerability in CrushFTP. 5 | author: Craig Sweeney, Matt Anderson, Jose Oregon, Tim Kasper, Faith Stratton, Samantha Shaw 6 | references: 7 | - https://nvd.nist.gov/vuln/detail/CVE-2025-2825 8 | - https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update 9 | - https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/ 10 | - https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis 11 | - https://projectdiscovery.io/blog/crushftp-authentication-bypass 12 | date: 2025-04-03 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | shell_process: 18 | Image|endswith: 19 | - '\cmd.exe' 20 | - '\powershell.exe' 21 | - '\powershell_ise.exe' 22 | crushftp_parent: 23 | ParentImage|endswith: '\crushftpservice.exe' 24 | condition: shell_process and crushftp_parent 25 | falsepositives: 26 | - Unknown 27 | level: medium 28 | tags: 29 | - attack.initial_access 30 | - attack.execution 31 | - attack.t1059.001 32 | - attack.t1059.003 33 | - attack.t1190 34 | - attack.ta0001 35 | - attack.ta0002 -------------------------------------------------------------------------------- /2025/2025-04/CentreStack_CVE-2025-30406/chainsaw/cve-2025-30406_chainsaw_rule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | title: CVE-2025-30406 Gladinet Exploitation 3 | group: Webservers 4 | description: Detects the deserialization vulnerability in Gladinet version < 16.4.10315.56368 5 | authors: 6 | - sudoREM 7 | 8 | kind: evtx 9 | level: high 10 | status: stable 11 | timestamp: Event.System.TimeCreated 12 | 13 | fields: 14 | - name: Event ID 15 | to: Event.System.EventID 16 | - name: Computer 17 | to: Event.System.Computer 18 | - name: Installation Path 19 | to: Event.EventData.Data[11] 20 | - name: URL 21 | to: Event.EventData.Data[17] 22 | - name: Request IP 23 | to: Event.EventData.Data[19] 24 | # - name: User Agent 25 | # to: Event.EventData.Data[27] 26 | - name: Payload 27 | to: Event.EventData.Data[28] 28 | 29 | filter: 30 | condition: event_information and exploit 31 | event_information: 32 | Event.System.EventID: 1316 33 | Event.System.Provider_attributes.Name: "i*ASP.NET*" 34 | 35 | exploit: 36 | Event.EventData.Data[1]: 37 | - "i*Viewstate*" 38 | Event.EventData.Data[28]: 39 | - "i*8BAAAAAA*" 40 | 41 | -------------------------------------------------------------------------------- /2025/2025-04/CentreStack_CVE-2025-30406/sigma/windows_susp_exec_from_centrastack_or_triofox.yml: -------------------------------------------------------------------------------- 1 | title: Shell Process from Gladinet CentreStack or Triofox 2 | id: 6a3be0d6-2305-4fa3-a5bc-b4d35c0b5f12 3 | status: experimental 4 | description: Detects execution of a shell process from the "Portal" Application Pool used by Gladinet Centrestack or the “Management” Application Pool used by Triofox, as a parent process. This may indicate successful exploitation of a vulnerability in Centrestack or Triofox. 5 | author: Craig Sweeney, Jai Minton, Michael Tigges, Matt Anderson, John Hammond (Huntress) 6 | references: 7 | - https://www.cisa.gov/news-events/alerts/2025/04/08/cisa-adds-two-known-exploited-vulnerabilities-catalog 8 | - https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf 9 | - https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2025-triofox.pdf 10 | - https://nvd.nist.gov/vuln/detail/CVE-2025-30406 11 | date: 2025-04-12 12 | modified: 2025-04-14 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | shell_process: 18 | Image|endswith: 19 | - '\cmd.exe' 20 | - '\powershell.exe' 21 | - '\powershell_ise.exe' 22 | selection_parent: 23 | ParentImage|endswith: '\w3wp.exe' 24 | ParentCommandLine|contains: 25 | - '\portal\portal.config' 26 | - '\management\management.config' 27 | condition: shell_process and selection_parent 28 | falsepositives: 29 | - Unknown 30 | level: medium 31 | tags: 32 | - attack.initial_access 33 | - attack.execution 34 | - attack.t1059.001 35 | - attack.t1059.003 36 | - attack.t1190 37 | - attack.ta0001 38 | - attack.ta0002 -------------------------------------------------------------------------------- /2025/2025-05/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/huntresslabs/threat-intel/9ddf3f69f6b1e5477017ec69d3689a6117a41114/2025/2025-05/.DS_Store -------------------------------------------------------------------------------- /2025/2025-05/Advanced_Critical_Marketing_Research_Intrusion/windows_mesh_agent_execution.yml: -------------------------------------------------------------------------------- 1 | title: Mesh Agent Execution 2 | id: 753d9010-fed7-425e-9d3a-0a5510024840 3 | status: experimental 4 | description: Detects Mesh Agent, the client software used to connect to a Mesh Central Server 5 | References: 6 | - https://github.com/Ylianst/MeshAgent 7 | author: Craig Sweeney, Matt Anderson 8 | date: 2025-05-27 9 | tags: 10 | - attack.command_and_control 11 | - attack.T1219 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection: 17 | - Product: ’MeshCentral Agent’ 18 | - Description: 'MeshCentral Background Service Agent' 19 | condition: selection 20 | falsepositives: 21 | - Legitimate usage by System Administrators 22 | level: low 23 | -------------------------------------------------------------------------------- /2025/2025-05/Advanced_Critical_Marketing_Research_Intrusion/windows_susp_mail_exchanger_enumeration_with_shortened_query_paramter_via_nslookup.yml: -------------------------------------------------------------------------------- 1 | title: Mail Exchanger Enumeration via Nslookup with a Shortened Query Parameter 2 | id: 11b8251d3-6267-4817-8d70-f001b6952c4b 3 | status: experimental 4 | description: Detects the use of Nslookup to enumerate mail servers while using a shortened query type parameter “-q” 5 | references: 6 | - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup 7 | author: Craig Sweeney 8 | date: 2025-05-27 9 | tags: 10 | - attack.discovery 11 | - attack.T1016 12 | logsource: 13 | category: process_creation 14 | product: windows 15 | detection: 16 | selection_img: 17 | Image|endswith: ’\nslookup.exe’ 18 | selection_other: 19 | CommandLine|contains: ‘-q=mx’ 20 | condition: all of selection_* 21 | falsepositives: 22 | - Legitimate usage by System Administrators 23 | level: low 24 | -------------------------------------------------------------------------------- /2025/2025-05/defendnot/sigma/win_image_load_defendnot_dll_taskmgr.yml: -------------------------------------------------------------------------------- 1 | title: defendnot.dll Loaded Via Taskmgr 2 | id: 657104f9-6995-4f73-ae33-34e3bf01e051 3 | status: experimental 4 | description: Detects defendnot.dll being loaded by taskmgr.exe after initial defendnot-loader.exe execution. 5 | references: 6 | - https://github.com/es3n1n/defendnot 7 | - https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques 8 | author: Tyler Bohlmann, Andrew Schwartz, Matt Anderson 9 | date: 2025-05-22 10 | tags: 11 | - attack.defense-evasion 12 | logsource: 13 | category: image_load 14 | product: windows 15 | detection: 16 | selection: 17 | ImageLoaded|endswith: '\defendnot.dll' 18 | Image|endswith: '\taskmgr.exe' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: medium 23 | -------------------------------------------------------------------------------- /2025/2025-05/defendnot/sigma/win_image_load_taskmgr_unsigned.yml: -------------------------------------------------------------------------------- 1 | title: Suspicious Image Load into taskmgr.exe with Invalid or Unsigned Modules (Sysmon) 2 | id: b8f4e2c1-9a2d-4c7b-a1f8-3e4b7c9d2f3a 3 | status: experimental 4 | description: Detects image load events (DLLs or modules) by taskmgr.exe (Windows Task Manager) in Sysmon logs from non-standard directories with unsigned modules or invalid signatures, indicating potential malicious activity such as DLL injection. Used by Defendnot evasion tool that disables Windows Defender. 5 | author: Matt Anderson, Andrew Schwartz, Tyler Bohlmann 6 | date: 2025-05-21 7 | references: 8 | - https://attack.mitre.org/techniques/T1055/ 9 | - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon 10 | - https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-security 11 | - https://github.com/es3n1n/defendnot 12 | - https://blog.es3n1n.eu/posts/how-i-ruined-my-vacation/ 13 | - https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques 14 | logsource: 15 | category: image_load 16 | product: windows 17 | service: sysmon 18 | detection: 19 | selection: 20 | EventID: 7 21 | Image|endswith: \taskmgr.exe 22 | filter_legitimate: 23 | ImageLoaded|startswith: 24 | - C:\Windows\System32\ 25 | - C:\Windows\SysWOW64\ 26 | - C:\Windows\ 27 | - C:\Windows\System32\wbem\ 28 | - C:\Windows\System32\com\ 29 | - C:\Windows\System32\en-US\ 30 | selection_signature: 31 | - Signed: false 32 | - SignatureStatus|contains: 33 | - Invalid 34 | - UntrustedRoot 35 | - Expired 36 | condition: selection and not filter_legitimate and selection_signature 37 | fields: 38 | - Image 39 | - ImageLoaded 40 | - Signed 41 | - SignatureStatus 42 | - ProcessId 43 | - User 44 | falsepositives: 45 | - Legitimate third-party tools or extensions loading unsigned or invalidly signed DLLs from non-standard directories 46 | - Administrative troubleshooting or debugging tools 47 | level: high 48 | tags: 49 | - attack.execution 50 | - attack.t1055 51 | - attack.t1562.001 52 | - attack.defense-evasion -------------------------------------------------------------------------------- /2025/2025-05/defendnot/sigma/win_security_defendnot_child_process_taskmgr.yml: -------------------------------------------------------------------------------- 1 | title: Taskmgr Child Process of defendnot 2 | id: d4ce1024-710e-41ab-8de5-aad408bac1a8 3 | status: experimental 4 | description: Detects taskmgr.exe child process spawning from defendnot-loader.exe execution. 5 | references: 6 | - https://github.com/es3n1n/defendnot 7 | - https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques 8 | author: Tyler Bohlmann, Andrew Schwartz, Matt Anderson 9 | date: 2025-05-22 10 | tags: 11 | - attack.defense-evasion 12 | - attack.t1055 13 | logsource: 14 | category: process_creation 15 | product: windows 16 | detection: 17 | selection: 18 | ParentImage|endswith: '\defendnot-loader.exe' 19 | Image|endswith: '\taskmgr.exe' 20 | condition: selection 21 | falsepositives: 22 | - Unknown 23 | level: medium 24 | -------------------------------------------------------------------------------- /2025/2025-05/defendnot/sigma/win_security_defendnot_default_scheduled_task_creation.yml: -------------------------------------------------------------------------------- 1 | title: Defendnot Scheduled Task Creation - Security 2 | id: 3156aabd-474b-408e-8fc5-f9a92e026cd1 3 | status: experimental 4 | description: Detects creation of scheduled tasks potentially used for autorun persistence (Event ID 4698), such as those created by defendnot or similar tooling. 5 | references: 6 | - https://github.com/es3n1n/defendnot 7 | - https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques 8 | author: Matt Anderson 9 | date: 2025-05-22 10 | modified: 2025-06-03 11 | logsource: 12 | product: windows 13 | service: security 14 | detection: 15 | selection: 16 | EventID: 4698 17 | TaskName|contains: 18 | - "defendnot" 19 | - "autorun" 20 | - "Loader" 21 | TaskContent|contains: 22 | - "defendnot" 23 | - "--from-autorun" 24 | - "defendnot-loader" 25 | - "\\defendnot.dll" 26 | condition: selection 27 | fields: 28 | - SubjectUserName 29 | - TaskName 30 | - TaskContent 31 | - ProcessId 32 | - ComputerName 33 | falsepositives: 34 | - Legitimate admin tasks with similar names or command lines 35 | level: high 36 | tags: 37 | - attack.persistence 38 | - attack.t1053.005 -------------------------------------------------------------------------------- /2025/2025-05/defendnot/sigma/win_security_defendnot_defender_state_correlation.yml: -------------------------------------------------------------------------------- 1 | title: defendnot Windows Defender State Toggle Events 2 | id: 833017cc-0fec-4e3c-8d62-19541d09d462 3 | description: Detects two different types of Event 15 from SecurityCenter occurring within 5 seconds - one with STATE_OFF and another with STATE_ON 4 | status: experimental 5 | author: Tyler Bohlmann, Andrew Schwartz, Matt Anderson 6 | date: 2025-05-22 7 | references: 8 | - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/ 9 | - https://github.com/es3n1n/defendnot 10 | - https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques 11 | logsource: 12 | product: windows 13 | service: application 14 | definition: 'Windows Application Event Log' 15 | detection: 16 | selection_base: 17 | EventID: 15 18 | Source: 'SecurityCenter' 19 | selection_state_off: 20 | EventData|contains: 'SECURITY_PRODUCT_STATE_OFF' 21 | selection_state_on: 22 | EventData|contains: 'SECURITY_PRODUCT_STATE_ON' 23 | selection_github: 24 | EventData|contains: 'https://github.com/es3n1n/defendnot' 25 | condition: selection_base and ((selection_state_off) or (selection_state_on and selection_github)) 26 | falsepositives: 27 | - Legitimate Windows Defender configuration changes 28 | - Security software updates or restarts 29 | - Administrative security policy modifications 30 | level: medium 31 | tags: 32 | - attack.defense_evasion 33 | - attack.t1562.001 34 | --- 35 | title: defendnot Windows Defender State Toggle Events (Event 15 Correlation) 36 | status: experimental 37 | correlation: 38 | type: value_count 39 | rules: 40 | - defendnot Windows Defender State Toggle Events 41 | group-by: 42 | - EventData 43 | timespan: 5s 44 | condition: 45 | gte: 2 46 | field: EventData 47 | falsepositives: 48 | - Legitimate Windows Defender configuration changes 49 | - Security software updates or restarts 50 | - Administrative security policy modifications 51 | level: high 52 | tags: 53 | - attack.defense_evasion 54 | - attack.t1562.001 55 | -------------------------------------------------------------------------------- /2025/2025-05/defendnot/sigma/win_security_defendnot_file_creation.yml: -------------------------------------------------------------------------------- 1 | title: defendnot File Creation 2 | id: 029fe628-7ebc-4db9-812d-b38e5a7f173c 3 | status: experimental 4 | description: Detects the ctx.bin file that gets created after the defendnot-loader.exe binary is executed. 5 | references: 6 | - https://github.com/es3n1n/defendnot 7 | - https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques 8 | author: Tyler Bohlmann, Andrew Schwartz, Matt Anderson 9 | date: 2025-05-22 10 | tags: 11 | - attack.defense-evasion 12 | logsource: 13 | category: file_event 14 | product: windows 15 | detection: 16 | selection: 17 | Image|endswith: '\defendnot-loader.exe' 18 | TargetFilename|endswith: '\ctx.bin' 19 | condition: selection 20 | falsepositives: 21 | - Unknown 22 | level: medium 23 | -------------------------------------------------------------------------------- /2025/2025-05/defendnot/sigma/win_security_defendnot_process_creation.yml: -------------------------------------------------------------------------------- 1 | title: defendnot Execution 2 | id: 1d1b35be-128d-434d-b9fd-54b77ec849c6 3 | status: experimental 4 | description: Detects the execution of defendnot-loader.exe. 5 | references: 6 | - https://github.com/es3n1n/defendnot 7 | - https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques 8 | author: Tyler Bohlmann, Andrew Schwartz, Matt Anderson 9 | date: 2025-05-22 10 | logsource: 11 | category: process_creation 12 | product: windows 13 | detection: 14 | selection: 15 | - Image|endswith: '\defendnot-loader.exe' 16 | - CommandLine|contains: 'defendnot-loader.exe' 17 | condition: selection 18 | falsepositives: 19 | - Unknown 20 | level: medium 21 | tags: 22 | - attack.execution 23 | - attack.t1059.003 24 | -------------------------------------------------------------------------------- /2025/2025-05/defendnot/sigma/win_security_defendnot_updated_scheduled_task.yml: -------------------------------------------------------------------------------- 1 | title: Updated Default defendnot Scheduled Task 2 | id: 803a67d4-7945-4cbe-b8cd-ce8c334da4c0 3 | status: experimental 4 | description: Detects the update of the default scheduled task creation of defendnot after binary execution. 5 | references: 6 | - https://github.com/es3n1n/defendnot 7 | - https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques 8 | author: Tyler Bohlmann, Andrew Schwartz, Matt Anderson 9 | date: 2025-05-20 10 | tags: 11 | - attack.persistence 12 | - attack.t1053.005 13 | logsource: 14 | product: windows 15 | service: security 16 | definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' 17 | detection: 18 | selection_id: 19 | EventID: 4702 20 | selection_path: 21 | TaskContentNew|contains|all: 22 | - 'defendnot' 23 | - '--from-autorun' 24 | condition: all of selection_* 25 | falsepositives: 26 | - Unknown 27 | level: high 28 | -------------------------------------------------------------------------------- /2025/2025-05/defendnot/sigma/win_security_modifiy_security_center_registry_key.yml: -------------------------------------------------------------------------------- 1 | title: Modification to Security Center AV Registry Key 2 | id: 7b8f9c3a-4e6d-4f8b-9a2e-5c3b7d9e2f1a 3 | status: experimental 4 | description: |- 5 | Detects modifications to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av registry key, which stores antivirus provider information for Windows Security Center. A registry is added by the Defendnot tool for evasion, which registers a fake AV product to turn Defender off. 6 | Note: This rule requires auditing to be enabled for the registry key (e.g., via 'Set Value' auditing in Registry Editor or Group Policy) and the 'Audit Object Access' policy to be enabled in Local Security Policy. 7 | author: Matt Anderson, Andrew Schwartz, Jonathon Johnson 8 | date: 2025-05-21 9 | References: 10 | - https://blog.es3n1n.eu/posts/how-i-ruined-my-vacation/ 11 | - https://github.com/es3n1n/defendnot/tree/master 12 | - https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques 13 | logsource: 14 | product: windows 15 | service: security 16 | definition: |- 17 | Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry 18 | detection: 19 | selection: 20 | EventID: 4657 21 | Channel: Security 22 | ObjectName|contains: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av 23 | filter: 24 | ObjectName|contains: {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} 25 | condition: selection and not filter 26 | fields: 27 | - SubjectUserName 28 | - SubjectDomainName 29 | - ObjectName 30 | - ObjectValueName 31 | - OldValue 32 | - NewValue 33 | - ProcessName 34 | falsepositives: 35 | - Administrative actions modifying antivirus settings 36 | level: medium 37 | tags: 38 | - attack.defense-evasion 39 | - attack.t1562.001 -------------------------------------------------------------------------------- /2025/2025-05/defendnot/sigma/win_security_process_access_defendnot.yml: -------------------------------------------------------------------------------- 1 | title: MsMpEng.exe Process Access defendnot loader 2 | id: 5d80958a-e7ec-4b0b-b597-a1d1b69f1562 3 | status: experimental 4 | description: Detects when MsMpEng.exe (Microsoft Defender Antimalware Service) queries information about other processes. This is generally normal behavior for an antivirus but is provided as per specific request. 5 | author: Matt Anderson, Andrew Schwartz 6 | date: 2025-05-22 7 | references: 8 | - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-10-processaccess 9 | - https://www.huntress.com/blog/defendnot-detecting-malicious-security-product-bypass-techniques 10 | logsource: 11 | product: windows 12 | service: sysmon 13 | eventtype: process_access 14 | detection: 15 | selection: 16 | EventID: 10 17 | SourceImage|endswith: '\MsMpEng.exe' 18 | TargetImage|endswith: '\defendnot-loader.exe' 19 | GrantedAccess: '0x1000' 20 | condition: selection 21 | level: informational 22 | tags: 23 | - attack.execution -------------------------------------------------------------------------------- /2025/2025-05/defendnot/yara/defendnot_tool.yar: -------------------------------------------------------------------------------- 1 | 2 | rule DefendNot_Hash 3 | { 4 | meta: 5 | description = "Detects defendnot loader/dll by known hash" 6 | author = "Matt Anderson" 7 | reference = "https://github.com/es3n1n/defendnot" 8 | strings: 9 | $sha256_1 = "2e5285eee85944d0a45215dc926ba4d812523ff8" ascii /* Example SHA256 of known defendnot file */ 10 | } 11 | rule DefendNot_KeyStrings 12 | { 13 | meta: 14 | description = "Detects defendnot by key strings in binary" 15 | author = "Matt Anderson" 16 | strings: 17 | $s1 = "https://github.com/es3n1n/defendnot" wide ascii 18 | $s2 = "--from-autorun" ascii 19 | $s3 = "defendnot.dll" ascii 20 | $s4 = "Taskmgr.exe" ascii 21 | $s5 = "IWscAVStatus" ascii 22 | condition: 23 | 2 of ($s*) 24 | } 25 | 26 | rule DefendNot_BinaryPatterns 27 | { 28 | meta: 29 | description = "Detects defendnot by binary patterns in PE structure" 30 | author = "Matt Anderson" 31 | strings: 32 | $mz = { 4D 5A } // MZ header 33 | $repo = "defendnot" ascii 34 | $dll = "defendnot.dll" ascii 35 | condition: 36 | $mz at 0 and $repo and $dll 37 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Huntress Labs 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # threat-intel 2 | This repository contains supplemental items including IOCs, and signatures discussed in Huntress blogposts, and other media. 3 | 4 | ## Organization 5 | This repository is organized by year, within that folder will be a subfolder named by the month and title of the media which is supported by its contents. An example might be: 6 | 7 | ``` 8 | 2022 9 | └── 2022-12 10 | └── 28-TITLE 11 | └── detections 12 | └── sigma 13 | └── tools 14 | └── misc 15 | 16 | ``` 17 | 18 | There are no guarantees about any of these supplemental files, correctness, or otherwise. They are released under MIT license, as-is. 19 | --------------------------------------------------------------------------------