├── ATD-Dump-Full-Memory-Win11.bioc ├── ATD-Dump-Full-Memory-Win11.md ├── ATD-cdpsgshims.dll.bioc ├── ATD-cdpsgshims.dll.md ├── BIOC-Jetico_signed.bioc ├── BIOC-Jetico_signed.md ├── BIOC-Kerberoasting-Canary-Account.bioc ├── BIOC-Kerberoasting-Canary-Account.md ├── BIOC-MadLicensing-CVE-2024-38077-RPC-Call.bioc ├── BIOC-MadLicensing-CVE-2024-38077-RPC-Call.md ├── BIOC-POC-CVE-2024-49112.bioc ├── BIOC-PetitPotam-Authentication-Coercer.bioc ├── BIOC-PetitPotam-Authentication-Coercer.md ├── BIOC-PetitPotam-EventLog-ElfrOpenBELW.bioc ├── BIOC-PetitPotam-EventLog-ElfrOpenBELW.md ├── BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.bioc ├── BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.md ├── BIOC-PetitPotam_Spoolss_Authentication_Coercer.bioc ├── BIOC-PetitPotam_Spoolss_Authentication_Coercer.md ├── BIOC-RBCD_Attack.bioc ├── BIOC-RBCD_Attack.md ├── BIOC-Rdrleakdiag-lolbas.bioc ├── BIOC-Rdrleakdiag-lolbas.md ├── BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.bioc ├── BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.md ├── BIOC-SprintCSP.dll.bioc ├── BIOC-SprintCSP.dll.md ├── BIOC-TTTracerinjection-into-LSASS.bioc ├── BIOC-TTTracerinjection-into-LSASS.md ├── BIOC-add-User-to-LocalAdmin-Group ├── BIOC-suspicious-command-line to Critical registry and NTDS file.bioc ├── BIOC-suspicious-command-line to Critical registry and NTDS file.md ├── BIOC-suspicious-command-line-.md ├── BIOC-wlanapi.dll_LPE.bioc ├── BIOC-wlanapi.dll_LPE.md ├── BIOC_PingCastle_ADCS_scanning.bioc ├── BIOC_PingCastle_ADCS_scanning.md ├── Forensic_4624_type_10 ├── LICENCE ├── ProcDump.py ├── README.md ├── SCRT_PetitPotam-Authentication-Coercer.md ├── SCRT_PetitPotam_DFSNM_Authenticaton_Coercer.md ├── SCRT_PetitPotam_Spoolss_Authentication_Coercer.md ├── SCRT_invalid_driver_hunt.bioc ├── SCRT_invalid_driver_hunt.md ├── Widget_Agent_Type ├── Widget_Network_Probes_Last_events ├── XDR-Collector-config-DHCP-Filebeat.txt ├── XDR_Collector_Exchange_Msg_Tracking ├── XDR_Collector_config_IIS.txt ├── XDR_loldriver.io_update_IOC.md ├── XDR_loldriver.io_update_IOC.py ├── XQL_4624_successfull_Logons ├── XQL_Account_Lockout ├── XQL_Computer_Account_created.txt ├── XQL_Failed_Logins.txt ├── XQL_Failed_Logins_francais.txt ├── XQL_General_event_logs ├── XQL_Kerb_PreAuth_4771 ├── XQL_Kerberoasting_of_canary_account ├── XQL_Powershell_transcripts ├── XQL_RPC_LSAT ├── XQL_Threat_hunt_kerberos_request ├── XQL_driver_hunting ├── XQL_graph_process_by_hour ├── convert_to_md.py ├── fullmemorydump.py ├── images ├── README.md ├── xdr_loldriver_api_role.png └── xdr_malware_profile.PNG ├── xdr_log4j.py └── xdr_loldriver_api_role.png /ATD-Dump-Full-Memory-Win11.bioc: -------------------------------------------------------------------------------- 1 | 8dffb26d04bdb42c0fea2bdccd7d2e23 2 | [{"rule_id":381,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1742375757951,"modify_time":1742375831546,"severity":"SEV_040_HIGH","source":"frank.bussink@swissexpertgroup.com","comment":"BIOC Dump full memory containing LSASS process done from TaskManager","status":"ENABLED","category":"CREDENTIAL_ACCESS","indicator":{"runOnCGO":true,"investigationType":"FILE_EVENT","investigation":{"FILE_EVENT":{"filter":{"AND":[{"OR":[{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"1","isExtended":false},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"6","isExtended":false}]},{"SEARCH_FIELD":"action_file_path","SEARCH_TYPE":"REGEX","SEARCH_VALUE":"C:\\\\Users\\\\.*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\TaskManager\\\\LiveKernelDumps\\\\livedump.*DMP","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"}]}}}},"indicator_md5":"6873f40bc8392cf64e00234d4fd01f13","indicator_text":"File action type = create, write AND file path =~ C:\\\\Users\\\\.*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\TaskManager\\\\LiveKernelDumps\\\\livedump.*DMP","name":"ATD-Full_Kernel_Dump_WIN11","mitre_technique_id_and_name":"T1003 - OS Credential Dumping","mitre_tactic_id_and_name":"TA0006 - Credential Access","mitre_tactic_id":"TA0006","mitre_technique_id":"T1003","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"ATD-Full_Kernel_Dump_WIN11","tactic_id":["TA0006"],"technique_id":["T1003"],"biocRuleName":"ATD-Full_Kernel_Dump_WIN11","biocId":381,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_381 (slot cid)) (defrule file_operation_381 (file_operation (file_path ?file_path) (cid ?cid) (sub_type ?sub_type &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_write*)) (regex ?file_path \"c:\\\\\\\\users\\\\\\\\.*\\\\\\\\appdata\\\\\\\\local\\\\\\\\microsoft\\\\\\\\windows\\\\\\\\taskmanager\\\\\\\\livekerneldumps\\\\\\\\livedump.*dmp\" 0)))) (not (file_operation_381 (cid ?cid))) => (assert (file_operation_381 (cid ?cid))))"},"AGENT_OS_MAC":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"ATD-Full_Kernel_Dump_WIN11","tactic_id":["TA0006"],"technique_id":["T1003"],"biocRuleName":"ATD-Full_Kernel_Dump_WIN11","biocId":381,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_381 (slot cid)) (defrule file_operation_381 (file_operation (file_path ?file_path) (cid ?cid) (sub_type ?sub_type &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_write*)) (regex ?file_path \"c:\\\\\\\\users\\\\\\\\.*\\\\\\\\appdata\\\\\\\\local\\\\\\\\microsoft\\\\\\\\windows\\\\\\\\taskmanager\\\\\\\\livekerneldumps\\\\\\\\livedump.*dmp\" 0)))) (not (file_operation_381 (cid ?cid))) => (assert (file_operation_381 (cid ?cid))))"},"AGENT_OS_LINUX":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"ATD-Full_Kernel_Dump_WIN11","tactic_id":["TA0006"],"technique_id":["T1003"],"biocRuleName":"ATD-Full_Kernel_Dump_WIN11","biocId":381,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_381 (slot cid)) (defrule file_operation_381 (file_operation (file_path ?file_path) (cid ?cid) (sub_type ?sub_type &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_write*)) (regex (lowcase ?file_path) \"c:\\\\\\\\users\\\\\\\\.*\\\\\\\\appdata\\\\\\\\local\\\\\\\\microsoft\\\\\\\\windows\\\\\\\\taskmanager\\\\\\\\livekerneldumps\\\\\\\\livedump.*dmp\" 0)))) (not (file_operation_381 (cid ?cid))) => (assert (file_operation_381 (cid ?cid))))"}},"btp_rule_name":"file_operation_381","is_preventable":1,"supported_os":7,"btp_validation_error":null,"xql":null,"is_xql":false,"query_tables":null,"rule_indicator_last_modified_ts":1742375825472,"status_changed_by":null,"status_changed_at":null,"last_status_change_reason":null}] -------------------------------------------------------------------------------- /ATD-Dump-Full-Memory-Win11.md: -------------------------------------------------------------------------------- 1 | * rule_id: 381 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1742375757951 5 | * modify_time: 1742375831546 6 | * severity: SEV_040_HIGH 7 | * source: frank.bussink@swissexpertgroup.com 8 | * comment: BIOC Dump full memory containing LSASS process done from TaskManager 9 | * status: ENABLED 10 | * category: CREDENTIAL_ACCESS 11 | * ## Indicator ## 12 | * runOnCGO: True 13 | * investigationType: FILE_EVENT 14 | * ### Investigation ### 15 | * #### File_Event #### 16 | * ##### Filter ##### 17 | * ###### And ###### 18 | * ###### Or ###### 19 | * SEARCH_FIELD: event_sub_type 20 | * SEARCH_TYPE: EQ 21 | * SEARCH_VALUE: 1 22 | * isExtended: False 23 | * SEARCH_FIELD: event_sub_type 24 | * SEARCH_TYPE: EQ 25 | * SEARCH_VALUE: 6 26 | * isExtended: False 27 | * SEARCH_FIELD: action_file_path 28 | * SEARCH_TYPE: REGEX 29 | * SEARCH_VALUE: C:\\Users\\.*\\AppData\\Local\\Microsoft\\Windows\\TaskManager\\LiveKernelDumps\\livedump.*DMP 30 | * ###### Extra_Fields ###### 31 | * isExtended: False 32 | * node: attributes 33 | * indicator_md5: 6873f40bc8392cf64e00234d4fd01f13 34 | * indicator_text: File action type = create, write AND file path =~ C:\\Users\\.*\\AppData\\Local\\Microsoft\\Windows\\TaskManager\\LiveKernelDumps\\livedump.*DMP 35 | * name: ATD-Full_Kernel_Dump_WIN11 36 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 37 | * mitre_tactic_id_and_name: TA0006 - Credential Access 38 | * mitre_tactic_id: TA0006 39 | * mitre_technique_id: T1003 40 | * ## Btp_Rule ## 41 | * ### Agent_Os_Windows ### 42 | * #### Signatureconfiguration #### 43 | * ##### Default ##### 44 | * ###### Settings ###### 45 | * action: block 46 | * friendlyName: ATD-Full_Kernel_Dump_WIN11 47 | * ###### Tactic_Id ###### 48 | * 0: TA0006 49 | * ###### Technique_Id ###### 50 | * 0: T1003 51 | * biocRuleName: ATD-Full_Kernel_Dump_WIN11 52 | * biocId: 381 53 | * additionalData: {} 54 | * rule_data: (deftemplate file_operation_381 (slot cid)) (defrule file_operation_381 (file_operation (file_path ?file_path) (cid ?cid) (sub_type ?sub_type &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_write*)) (regex ?file_path "c:\\\\users\\\\.*\\\\appdata\\\\local\\\\microsoft\\\\windows\\\\taskmanager\\\\livekerneldumps\\\\livedump.*dmp" 0)))) (not (file_operation_381 (cid ?cid))) => (assert (file_operation_381 (cid ?cid)))) 55 | * ### Agent_Os_Mac ### 56 | * #### Signatureconfiguration #### 57 | * ##### Default ##### 58 | * ###### Settings ###### 59 | * action: block 60 | * friendlyName: ATD-Full_Kernel_Dump_WIN11 61 | * ###### Tactic_Id ###### 62 | * 0: TA0006 63 | * ###### Technique_Id ###### 64 | * 0: T1003 65 | * biocRuleName: ATD-Full_Kernel_Dump_WIN11 66 | * biocId: 381 67 | * additionalData: {} 68 | * rule_data: (deftemplate file_operation_381 (slot cid)) (defrule file_operation_381 (file_operation (file_path ?file_path) (cid ?cid) (sub_type ?sub_type &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_write*)) (regex ?file_path "c:\\\\users\\\\.*\\\\appdata\\\\local\\\\microsoft\\\\windows\\\\taskmanager\\\\livekerneldumps\\\\livedump.*dmp" 0)))) (not (file_operation_381 (cid ?cid))) => (assert (file_operation_381 (cid ?cid)))) 69 | * ### Agent_Os_Linux ### 70 | * #### Signatureconfiguration #### 71 | * ##### Default ##### 72 | * ###### Settings ###### 73 | * action: block 74 | * friendlyName: ATD-Full_Kernel_Dump_WIN11 75 | * ###### Tactic_Id ###### 76 | * 0: TA0006 77 | * ###### Technique_Id ###### 78 | * 0: T1003 79 | * biocRuleName: ATD-Full_Kernel_Dump_WIN11 80 | * biocId: 381 81 | * additionalData: {} 82 | * rule_data: (deftemplate file_operation_381 (slot cid)) (defrule file_operation_381 (file_operation (file_path ?file_path) (cid ?cid) (sub_type ?sub_type &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_write*)) (regex (lowcase ?file_path) "c:\\\\users\\\\.*\\\\appdata\\\\local\\\\microsoft\\\\windows\\\\taskmanager\\\\livekerneldumps\\\\livedump.*dmp" 0)))) (not (file_operation_381 (cid ?cid))) => (assert (file_operation_381 (cid ?cid)))) 83 | * btp_rule_name: file_operation_381 84 | * is_preventable: 1 85 | * supported_os: 7 86 | * btp_validation_error: None 87 | * xql: None 88 | * is_xql: False 89 | * query_tables: None 90 | * rule_indicator_last_modified_ts: 1742375825472 91 | * status_changed_by: None 92 | * status_changed_at: None 93 | * last_status_change_reason: None 94 | -------------------------------------------------------------------------------- /ATD-cdpsgshims.dll.bioc: -------------------------------------------------------------------------------- 1 | 9bb4cab82da739620bb1e54af0cc9d6a 2 | [{"rule_id":379,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1742377058044,"modify_time":1742377058044,"severity":"SEV_040_HIGH","source":"frank.bussink@swissexpertgroup.com","comment":"cdpsgshims.dll file created to disk","status":"ENABLED","category":"PRIVILEGE_ESCALATION","indicator":{"runOnCGO":true,"investigationType":"FILE_EVENT","investigation":{"FILE_EVENT":{"filter":{"AND":[{"OR":[{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"1","isExtended":false},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"2","isExtended":false},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"3","isExtended":false},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"6","isExtended":false}]},{"SEARCH_FIELD":"action_file_name","SEARCH_TYPE":"EQ","SEARCH_VALUE":"cdpsgshims.dll","EXTRA_FIELDS":[],"isExtended":false}]}}}},"indicator_md5":"1767d03009b9052475a528306e7b66d2","indicator_text":"File action type = create, read, rename, write AND file name = cdpsgshims.dll","name":"ATD-cdpsgshims.dll","mitre_technique_id_and_name":"T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking","mitre_tactic_id_and_name":"TA0004 - Privilege Escalation","mitre_tactic_id":"TA0004","mitre_technique_id":"T1574.001","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"ATD-cdpsgshims.dll","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"ATD-cdpsgshims.dll","biocId":379,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_379 (slot cid)) (defrule file_operation_379 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name \"cdpsgshims.dll\")))) (not (file_operation_379 (cid ?cid))) => (assert (file_operation_379 (cid ?cid))))"},"AGENT_OS_MAC":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"ATD-cdpsgshims.dll","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"ATD-cdpsgshims.dll","biocId":379,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_379 (slot cid)) (defrule file_operation_379 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name \"cdpsgshims.dll\")))) (not (file_operation_379 (cid ?cid))) => (assert (file_operation_379 (cid ?cid))))"},"AGENT_OS_LINUX":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"ATD-cdpsgshims.dll","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"ATD-cdpsgshims.dll","biocId":379,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_379 (slot cid)) (defrule file_operation_379 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq (lowcase ?file_name) \"cdpsgshims.dll\")))) (not (file_operation_379 (cid ?cid))) => (assert (file_operation_379 (cid ?cid))))"}},"btp_rule_name":"file_operation_379","is_preventable":1,"supported_os":7,"btp_validation_error":null,"xql":null,"is_xql":false,"query_tables":null,"rule_indicator_last_modified_ts":1742377058044,"status_changed_by":null,"status_changed_at":null,"last_status_change_reason":null}] -------------------------------------------------------------------------------- /ATD-cdpsgshims.dll.md: -------------------------------------------------------------------------------- 1 | * rule_id: 379 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1742377058044 5 | * modify_time: 1742377058044 6 | * severity: SEV_040_HIGH 7 | * source: frank.bussink@swissexpertgroup.com 8 | * comment: cdpsgshims.dll file created to disk 9 | * status: ENABLED 10 | * category: PRIVILEGE_ESCALATION 11 | * ## Indicator ## 12 | * runOnCGO: True 13 | * investigationType: FILE_EVENT 14 | * ### Investigation ### 15 | * #### File_Event #### 16 | * ##### Filter ##### 17 | * ###### And ###### 18 | * ###### Or ###### 19 | * SEARCH_FIELD: event_sub_type 20 | * SEARCH_TYPE: EQ 21 | * SEARCH_VALUE: 1 22 | * isExtended: False 23 | * SEARCH_FIELD: event_sub_type 24 | * SEARCH_TYPE: EQ 25 | * SEARCH_VALUE: 2 26 | * isExtended: False 27 | * SEARCH_FIELD: event_sub_type 28 | * SEARCH_TYPE: EQ 29 | * SEARCH_VALUE: 3 30 | * isExtended: False 31 | * SEARCH_FIELD: event_sub_type 32 | * SEARCH_TYPE: EQ 33 | * SEARCH_VALUE: 6 34 | * isExtended: False 35 | * SEARCH_FIELD: action_file_name 36 | * SEARCH_TYPE: EQ 37 | * SEARCH_VALUE: cdpsgshims.dll 38 | * ###### Extra_Fields ###### 39 | * isExtended: False 40 | * indicator_md5: 1767d03009b9052475a528306e7b66d2 41 | * indicator_text: File action type = create, read, rename, write AND file name = cdpsgshims.dll 42 | * name: ATD-cdpsgshims.dll 43 | * mitre_technique_id_and_name: T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking 44 | * mitre_tactic_id_and_name: TA0004 - Privilege Escalation 45 | * mitre_tactic_id: TA0004 46 | * mitre_technique_id: T1574.001 47 | * ## Btp_Rule ## 48 | * ### Agent_Os_Windows ### 49 | * #### Signatureconfiguration #### 50 | * ##### Default ##### 51 | * ###### Settings ###### 52 | * action: block 53 | * friendlyName: ATD-cdpsgshims.dll 54 | * ###### Tactic_Id ###### 55 | * 0: TA0004 56 | * ###### Technique_Id ###### 57 | * 0: T1574.001 58 | * biocRuleName: ATD-cdpsgshims.dll 59 | * biocId: 379 60 | * additionalData: {} 61 | * rule_data: (deftemplate file_operation_379 (slot cid)) (defrule file_operation_379 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "cdpsgshims.dll")))) (not (file_operation_379 (cid ?cid))) => (assert (file_operation_379 (cid ?cid)))) 62 | * ### Agent_Os_Mac ### 63 | * #### Signatureconfiguration #### 64 | * ##### Default ##### 65 | * ###### Settings ###### 66 | * action: block 67 | * friendlyName: ATD-cdpsgshims.dll 68 | * ###### Tactic_Id ###### 69 | * 0: TA0004 70 | * ###### Technique_Id ###### 71 | * 0: T1574.001 72 | * biocRuleName: ATD-cdpsgshims.dll 73 | * biocId: 379 74 | * additionalData: {} 75 | * rule_data: (deftemplate file_operation_379 (slot cid)) (defrule file_operation_379 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "cdpsgshims.dll")))) (not (file_operation_379 (cid ?cid))) => (assert (file_operation_379 (cid ?cid)))) 76 | * ### Agent_Os_Linux ### 77 | * #### Signatureconfiguration #### 78 | * ##### Default ##### 79 | * ###### Settings ###### 80 | * action: block 81 | * friendlyName: ATD-cdpsgshims.dll 82 | * ###### Tactic_Id ###### 83 | * 0: TA0004 84 | * ###### Technique_Id ###### 85 | * 0: T1574.001 86 | * biocRuleName: ATD-cdpsgshims.dll 87 | * biocId: 379 88 | * additionalData: {} 89 | * rule_data: (deftemplate file_operation_379 (slot cid)) (defrule file_operation_379 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq (lowcase ?file_name) "cdpsgshims.dll")))) (not (file_operation_379 (cid ?cid))) => (assert (file_operation_379 (cid ?cid)))) 90 | * btp_rule_name: file_operation_379 91 | * is_preventable: 1 92 | * supported_os: 7 93 | * btp_validation_error: None 94 | * xql: None 95 | * is_xql: False 96 | * query_tables: None 97 | * rule_indicator_last_modified_ts: 1742377058044 98 | * status_changed_by: None 99 | * status_changed_at: None 100 | * last_status_change_reason: None 101 | -------------------------------------------------------------------------------- /BIOC-Jetico_signed.bioc: -------------------------------------------------------------------------------- 1 | 4a90391096331de93d95205e3aa00f7f 2 | [{"rule_id":502,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1638350268266,"modify_time":1638353935456,"severity":"SEV_040_HIGH","source":"frank.bussink@scrt.ch","comment":"Created by F. Bussink SCRT","status":"ENABLED","category":"EXECUTION","indicator":{"runOnCGO":true,"investigationType":"PROCESS_EXECUTION_EVENT","investigation":{"PROCESS_EXECUTION_EVENT":{"filter":{"AND":[{"SEARCH_FIELD":"agent_os_type","SEARCH_TYPE":"NEQ","SEARCH_VALUE":4,"EXTRA_FIELDS":[],"isExtended":false,"node":"xdr_agent"},{"SEARCH_FIELD":"action_process_signature_status","SEARCH_TYPE":"COMPLEX_EQ","SEARCH_VALUE":"{\"COLLECTION_TYPE\": \"SIGNATURE_STATUS\", \"COLLECTION_VALUE\": \"SIGNATURE_SIGNED\"}","EXTRA_FIELDS":[],"isExtended":false},{"SEARCH_FIELD":"action_process_signature_vendor","SEARCH_TYPE":"REGEX","SEARCH_VALUE":"Jetico.*","EXTRA_FIELDS":[],"isExtended":false}]}}}},"indicator_md5":"ca1b0c73d6ed6af725f54b8f6165913f","indicator_text":"Process action type = execution AND process execution signature = Signed AND process execution signer =~ Jetico.* Host host os != linux","name":"SCRT JETICO Signed binary","mitre_technique_id_and_name":"","mitre_tactic_id_and_name":"","mitre_tactic_id":"","mitre_technique_id":"","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"SCRT JETICO Signed binary","tactic_id":[],"technique_id":[],"biocRuleName":"SCRT JETICO Signed binary","biocId":502,"additionalData":"{}"}}},"rule_data":"(deftemplate process_start_502 (slot cid)) (defrule process_start_502 (process_start (is_sign ?is_sign) (cid ?cid) (signer_name ?signer_name &: (and (eq ?is_sign ?*signature_state_signed*) (regex (lowcase ?signer_name) \"jetico.*\" 0)))) (not (process_start_502 (cid ?cid))) => (assert (process_start_502 (cid ?cid))))"}},"btp_rule_name":"process_start_502","is_preventable":1,"supported_os":1,"btp_validation_error":"WINDOWS_SUPPORT_ONLY","xql":null,"is_xql":false,"query_tables":null}] 3 | -------------------------------------------------------------------------------- /BIOC-Jetico_signed.md: -------------------------------------------------------------------------------- 1 | * rule_id: 503 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1638350429925 5 | * modify_time: 1638350456574 6 | * severity: SEV_030_MEDIUM 7 | * source: frank.bussink@scrt.ch 8 | * comment: Privesc cdpsgshims.dll 9 | * status: ENABLED 10 | * category: PRIVILEGE_ESCALATION 11 | * ## Indicator ## 12 | * runOnCGO: False 13 | * investigationType: FILE_EVENT 14 | * ### Investigation ### 15 | * #### File_Event #### 16 | * ##### Filter ##### 17 | * ###### And ###### 18 | * ###### Or ###### 19 | * SEARCH_FIELD: event_sub_type 20 | * SEARCH_TYPE: EQ 21 | * SEARCH_VALUE: 1 22 | * isExtended: False 23 | * SEARCH_FIELD: event_sub_type 24 | * SEARCH_TYPE: EQ 25 | * SEARCH_VALUE: 2 26 | * isExtended: False 27 | * SEARCH_FIELD: event_sub_type 28 | * SEARCH_TYPE: EQ 29 | * SEARCH_VALUE: 3 30 | * isExtended: False 31 | * SEARCH_FIELD: event_sub_type 32 | * SEARCH_TYPE: EQ 33 | * SEARCH_VALUE: 6 34 | * isExtended: False 35 | * SEARCH_FIELD: action_file_name 36 | * SEARCH_TYPE: EQ 37 | * SEARCH_VALUE: cdpsgshims.dll 38 | * ###### Extra_Fields ###### 39 | * isExtended: False 40 | * node: attributes 41 | * indicator_md5: a5d8fbe26ddbd7f48f8b4f660ed52866 42 | * indicator_text: File action type = create, read, rename, write AND file name = cdpsgshims.dll 43 | * name: SCRT cdpsgshims.dll created to disk 44 | * mitre_technique_id_and_name: T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking 45 | * mitre_tactic_id_and_name: TA0004 - Privilege Escalation 46 | * mitre_tactic_id: TA0004 47 | * mitre_technique_id: T1574.001 48 | * ## Btp_Rule ## 49 | * ### Agent_Os_Windows ### 50 | * #### Signatureconfiguration #### 51 | * ##### Default ##### 52 | * ###### Settings ###### 53 | * action: block 54 | * friendlyName: SCRT cdpsgshims.dll created to disk 55 | * ###### Tactic_Id ###### 56 | * 0: TA0004 57 | * ###### Technique_Id ###### 58 | * 0: T1574.001 59 | * biocRuleName: SCRT cdpsgshims.dll created to disk 60 | * biocId: 503 61 | * additionalData: {} 62 | * rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid)))) 63 | * ### Agent_Os_Mac ### 64 | * #### Signatureconfiguration #### 65 | * ##### Default ##### 66 | * ###### Settings ###### 67 | * action: block 68 | * friendlyName: SCRT cdpsgshims.dll created to disk 69 | * ###### Tactic_Id ###### 70 | * 0: TA0004 71 | * ###### Technique_Id ###### 72 | * 0: T1574.001 73 | * biocRuleName: SCRT cdpsgshims.dll created to disk 74 | * biocId: 503 75 | * additionalData: {} 76 | * rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid)))) 77 | * ### Agent_Os_Linux ### 78 | * #### Signatureconfiguration #### 79 | * ##### Default ##### 80 | * ###### Settings ###### 81 | * action: block 82 | * friendlyName: SCRT cdpsgshims.dll created to disk 83 | * ###### Tactic_Id ###### 84 | * 0: TA0004 85 | * ###### Technique_Id ###### 86 | * 0: T1574.001 87 | * biocRuleName: SCRT cdpsgshims.dll created to disk 88 | * biocId: 503 89 | * additionalData: {} 90 | * rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq (lowcase ?file_name) "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid)))) 91 | * btp_rule_name: file_operation_503 92 | * is_preventable: 1 93 | * supported_os: 7 94 | * btp_validation_error: None 95 | * xql: None 96 | * is_xql: False 97 | * query_tables: None 98 | * rule_id: 502 99 | * global_rule_id: NO_ID 100 | * mssp_global_rule_id: None 101 | * insert_time: 1638350268266 102 | * modify_time: 1638353935456 103 | * severity: SEV_040_HIGH 104 | * source: frank.bussink@scrt.ch 105 | * comment: Created by F. Bussink SCRT 106 | * status: ENABLED 107 | * category: EXECUTION 108 | * ## Indicator ## 109 | * runOnCGO: True 110 | * investigationType: PROCESS_EXECUTION_EVENT 111 | * ### Investigation ### 112 | * #### Process_Execution_Event #### 113 | * ##### Filter ##### 114 | * ###### And ###### 115 | * SEARCH_FIELD: agent_os_type 116 | * SEARCH_TYPE: NEQ 117 | * SEARCH_VALUE: 4 118 | * ###### Extra_Fields ###### 119 | * isExtended: False 120 | * node: xdr_agent 121 | * SEARCH_FIELD: action_process_signature_status 122 | * SEARCH_TYPE: COMPLEX_EQ 123 | * SEARCH_VALUE: {"COLLECTION_TYPE": "SIGNATURE_STATUS", "COLLECTION_VALUE": "SIGNATURE_SIGNED"} 124 | * ###### Extra_Fields ###### 125 | * isExtended: False 126 | * SEARCH_FIELD: action_process_signature_vendor 127 | * SEARCH_TYPE: REGEX 128 | * SEARCH_VALUE: Jetico.* 129 | * ###### Extra_Fields ###### 130 | * isExtended: False 131 | * indicator_md5: ca1b0c73d6ed6af725f54b8f6165913f 132 | * indicator_text: Process action type = execution AND process execution signature = Signed AND process execution signer =~ Jetico.* Host host os != linux 133 | * name: SCRT JETICO Signed binary 134 | * mitre_technique_id_and_name: 135 | * mitre_tactic_id_and_name: 136 | * mitre_tactic_id: 137 | * mitre_technique_id: 138 | * ## Btp_Rule ## 139 | * ### Agent_Os_Windows ### 140 | * #### Signatureconfiguration #### 141 | * ##### Default ##### 142 | * ###### Settings ###### 143 | * action: block 144 | * friendlyName: SCRT JETICO Signed binary 145 | * ###### Tactic_Id ###### 146 | * ###### Technique_Id ###### 147 | * biocRuleName: SCRT JETICO Signed binary 148 | * biocId: 502 149 | * additionalData: {} 150 | * rule_data: (deftemplate process_start_502 (slot cid)) (defrule process_start_502 (process_start (is_sign ?is_sign) (cid ?cid) (signer_name ?signer_name &: (and (eq ?is_sign ?*signature_state_signed*) (regex (lowcase ?signer_name) "jetico.*" 0)))) (not (process_start_502 (cid ?cid))) => (assert (process_start_502 (cid ?cid)))) 151 | * btp_rule_name: process_start_502 152 | * is_preventable: 1 153 | * supported_os: 1 154 | * btp_validation_error: WINDOWS_SUPPORT_ONLY 155 | * xql: None 156 | * is_xql: False 157 | * query_tables: None 158 | -------------------------------------------------------------------------------- /BIOC-Kerberoasting-Canary-Account.bioc: -------------------------------------------------------------------------------- 1 | 9c02bf0ab8d9db5c34273e2d3e669a66 2 | [{"rule_id":393,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1684854242506,"modify_time":1684854242506,"severity":"SEV_040_HIGH","source":"frank.bussink@e-xpertsolutions.com","comment":"This is trigguered when a TGS has been request for the canary account (in attempt to bruteforce the password)","status":"ENABLED","category":"CREDENTIAL_ACCESS","indicator":null,"indicator_md5":"8b554c9ad93cfd962b8cfa237fc99914","indicator_text":"dataset = xdr_data \/\/ Using the xdr dataset\r\n| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4769\r\n| alter ServiceName = json_extract(action_evtlog_data_fields,\"$.ServiceName\") \r\n| alter ServiceName = trim(ServiceName,\"\\\"\")\r\n| alter TicketEncryptionType = json_extract(action_evtlog_data_fields,\"$.TicketEncryptionType\")\r\n| alter TicketOptions= json_extract(action_evtlog_data_fields,\"$.TicketOptions\")\r\n| alter TargetUserName= json_extract(action_evtlog_data_fields,\"$.TargetUserName\")\r\n| alter IpAddress= json_extract(action_evtlog_data_fields,\"$.IpAddress\")\r\n| alter TicketEncryptionTypeName = \"\"\r\n| alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS \"0x1\", \"DES-CBC-CRC\", TicketEncryptionTypeName)\r\n| alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS \"0x3\", \"DES-CBC-MD5\", TicketEncryptionTypeName )\r\n| alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS \"0x11\", \"AES128-CTS-HMAC-SHA1-96\", TicketEncryptionTypeName)\r\n| alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS \"0x12\", \"AES256-CTS-HMAC-SHA1-96\", TicketEncryptionTypeName)\r\n| alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS \"0x17\", \"RC4-HMAC\", TicketEncryptionTypeName)\r\n| alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS \"0x18\", \"RC4-HMAC-EXP\", TicketEncryptionTypeName)\t\r\n| alter TicketOptionsName = \"\"\r\n| alter TicketOptionsName = if(TicketOptions CONTAINS \"0x40810010\", \"Forwardable, Renewable, Canonicalize, Renewable-ok\", TicketOptionsName)\r\n| alter TicketOptionsName = if(TicketOptions CONTAINS \"0x40810000\", \"Forwardable, Renewable, Canonicalize\", TicketOptionsName)\r\n| alter TicketOptionsName = if(TicketOptions CONTAINS \"0x60810010\", \"Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok\", TicketOptionsName)\r\n| filter (ServiceName = \"sqlsvc\") ","name":"BIOC-Kerberoasting Canary account","mitre_technique_id_and_name":"T1003 - OS Credential Dumping","mitre_tactic_id_and_name":"TA0006 - Credential Access","mitre_tactic_id":"TA0006","mitre_technique_id":"T1003","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":null,"btp_validation_error":null,"xql":"{\"tables\": [\"xdr_data\"], \"stages\": [{\"FILTER\": {\"filter\": {\"AND\": [{\"LEFT\": \"$event_type\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"$ENUM.EVENT_LOG\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}, {\"LEFT\": \"$action_evtlog_event_id\", \"OPERATOR\": \"EQ\", \"RIGHT\": 4769, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"ServiceName\", \"source\": {\"function\": \"json_extract\", \"parameters\": [\"$action_evtlog_data_fields\", \"$.ServiceName\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"ServiceName\", \"source\": {\"function\": \"string_trim\", \"parameters\": [\"$ServiceName\", \"\\\"\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TicketEncryptionType\", \"source\": {\"function\": \"json_extract\", \"parameters\": [\"$action_evtlog_data_fields\", \"$.TicketEncryptionType\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TicketOptions\", \"source\": {\"function\": \"json_extract\", \"parameters\": [\"$action_evtlog_data_fields\", \"$.TicketOptions\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TargetUserName\", \"source\": {\"function\": \"json_extract\", \"parameters\": [\"$action_evtlog_data_fields\", \"$.TargetUserName\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"IpAddress\", \"source\": {\"function\": \"json_extract\", \"parameters\": [\"$action_evtlog_data_fields\", \"$.IpAddress\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TicketEncryptionTypeName\", \"source\": \"\"}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TicketEncryptionTypeName\", \"source\": {\"function\": \"switch_case\", \"parameters\": [[[{\"filter\": {\"OR\": [{\"LEFT\": \"$TicketEncryptionType\", \"OPERATOR\": \"CONTAINS\", \"RIGHT\": \"0x1\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}, \"DES-CBC-CRC\"]], \"$TicketEncryptionTypeName\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TicketEncryptionTypeName\", \"source\": {\"function\": \"switch_case\", \"parameters\": [[[{\"filter\": {\"OR\": [{\"LEFT\": \"$TicketEncryptionType\", \"OPERATOR\": \"CONTAINS\", \"RIGHT\": \"0x3\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}, \"DES-CBC-MD5\"]], \"$TicketEncryptionTypeName\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TicketEncryptionTypeName\", \"source\": {\"function\": \"switch_case\", \"parameters\": [[[{\"filter\": {\"OR\": [{\"LEFT\": \"$TicketEncryptionType\", \"OPERATOR\": \"CONTAINS\", \"RIGHT\": \"0x11\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}, \"AES128-CTS-HMAC-SHA1-96\"]], \"$TicketEncryptionTypeName\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TicketEncryptionTypeName\", \"source\": {\"function\": \"switch_case\", \"parameters\": [[[{\"filter\": {\"OR\": [{\"LEFT\": \"$TicketEncryptionType\", \"OPERATOR\": \"CONTAINS\", \"RIGHT\": \"0x12\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}, \"AES256-CTS-HMAC-SHA1-96\"]], \"$TicketEncryptionTypeName\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TicketEncryptionTypeName\", \"source\": {\"function\": \"switch_case\", \"parameters\": [[[{\"filter\": {\"OR\": [{\"LEFT\": \"$TicketEncryptionType\", \"OPERATOR\": \"CONTAINS\", \"RIGHT\": \"0x17\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}, \"RC4-HMAC\"]], \"$TicketEncryptionTypeName\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TicketEncryptionTypeName\", \"source\": {\"function\": \"switch_case\", \"parameters\": [[[{\"filter\": {\"OR\": [{\"LEFT\": \"$TicketEncryptionType\", \"OPERATOR\": \"CONTAINS\", \"RIGHT\": \"0x18\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}, \"RC4-HMAC-EXP\"]], \"$TicketEncryptionTypeName\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TicketOptionsName\", \"source\": \"\"}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TicketOptionsName\", \"source\": {\"function\": \"switch_case\", \"parameters\": [[[{\"filter\": {\"OR\": [{\"LEFT\": \"$TicketOptions\", \"OPERATOR\": \"CONTAINS\", \"RIGHT\": \"0x40810010\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}, \"Forwardable, Renewable, Canonicalize, Renewable-ok\"]], \"$TicketOptionsName\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TicketOptionsName\", \"source\": {\"function\": \"switch_case\", \"parameters\": [[[{\"filter\": {\"OR\": [{\"LEFT\": \"$TicketOptions\", \"OPERATOR\": \"CONTAINS\", \"RIGHT\": \"0x40810000\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}, \"Forwardable, Renewable, Canonicalize\"]], \"$TicketOptionsName\"]}}]}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"TicketOptionsName\", \"source\": {\"function\": \"switch_case\", \"parameters\": [[[{\"filter\": {\"OR\": [{\"LEFT\": \"$TicketOptions\", \"OPERATOR\": \"CONTAINS\", \"RIGHT\": \"0x60810010\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}, \"Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok\"]], \"$TicketOptionsName\"]}}]}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$ServiceName\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"sqlsvc\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}]}","is_xql":true,"query_tables":"[\"xdr_data\"]","rule_indicator_last_modified_ts":1684854242506}] -------------------------------------------------------------------------------- /BIOC-Kerberoasting-Canary-Account.md: -------------------------------------------------------------------------------- 1 | * rule_id: 393 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1684854242506 5 | * modify_time: 1684854242506 6 | * severity: SEV_040_HIGH 7 | * source: frank.bussink@e-xpertsolutions.com 8 | * comment: This is trigguered when a TGS has been request for the canary account (in attempt to bruteforce the password) 9 | * status: ENABLED 10 | * category: CREDENTIAL_ACCESS 11 | * indicator: None 12 | * indicator_md5: 8b554c9ad93cfd962b8cfa237fc99914 13 | * indicator_text: dataset = xdr_data // Using the xdr dataset 14 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4769 15 | | alter ServiceName = json_extract(action_evtlog_data_fields,"$.ServiceName") 16 | | alter ServiceName = trim(ServiceName,"\"") 17 | | alter TicketEncryptionType = json_extract(action_evtlog_data_fields,"$.TicketEncryptionType") 18 | | alter TicketOptions= json_extract(action_evtlog_data_fields,"$.TicketOptions") 19 | | alter TargetUserName= json_extract(action_evtlog_data_fields,"$.TargetUserName") 20 | | alter IpAddress= json_extract(action_evtlog_data_fields,"$.IpAddress") 21 | | alter TicketEncryptionTypeName = "" 22 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x1", "DES-CBC-CRC", TicketEncryptionTypeName) 23 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x3", "DES-CBC-MD5", TicketEncryptionTypeName ) 24 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x11", "AES128-CTS-HMAC-SHA1-96", TicketEncryptionTypeName) 25 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x12", "AES256-CTS-HMAC-SHA1-96", TicketEncryptionTypeName) 26 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x17", "RC4-HMAC", TicketEncryptionTypeName) 27 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x18", "RC4-HMAC-EXP", TicketEncryptionTypeName) 28 | | alter TicketOptionsName = "" 29 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x40810010", "Forwardable, Renewable, Canonicalize, Renewable-ok", TicketOptionsName) 30 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x40810000", "Forwardable, Renewable, Canonicalize", TicketOptionsName) 31 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x60810010", "Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok", TicketOptionsName) 32 | | filter (ServiceName = "sqlsvc") 33 | * name: BIOC-Kerberoasting Canary account 34 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 35 | * mitre_tactic_id_and_name: TA0006 - Credential Access 36 | * mitre_tactic_id: TA0006 37 | * mitre_technique_id: T1003 38 | * btp_rule: None 39 | * btp_rule_name: None 40 | * is_preventable: 0 41 | * supported_os: None 42 | * btp_validation_error: None 43 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"AND": [{"LEFT": "$event_type", "OPERATOR": "EQ", "RIGHT": "$ENUM.EVENT_LOG", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$action_evtlog_event_id", "OPERATOR": "EQ", "RIGHT": 4769, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"ADD_FIELDS": {"fields": [{"name": "ServiceName", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.ServiceName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "ServiceName", "source": {"function": "string_trim", "parameters": ["$ServiceName", "\""]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionType", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TicketEncryptionType"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptions", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TicketOptions"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TargetUserName", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TargetUserName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "IpAddress", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.IpAddress"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": ""}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x1", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "DES-CBC-CRC"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x3", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "DES-CBC-MD5"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x11", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "AES128-CTS-HMAC-SHA1-96"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x12", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "AES256-CTS-HMAC-SHA1-96"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x17", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "RC4-HMAC"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x18", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "RC4-HMAC-EXP"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": ""}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x40810010", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Renewable, Canonicalize, Renewable-ok"]], "$TicketOptionsName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x40810000", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Renewable, Canonicalize"]], "$TicketOptionsName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x60810010", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok"]], "$TicketOptionsName"]}}]}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$ServiceName", "OPERATOR": "EQ", "RIGHT": "sqlsvc", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 44 | * is_xql: True 45 | * query_tables: ["xdr_data"] 46 | * rule_indicator_last_modified_ts: 1684854242506 47 | -------------------------------------------------------------------------------- /BIOC-MadLicensing-CVE-2024-38077-RPC-Call.bioc: -------------------------------------------------------------------------------- 1 | 63733c8293b370d49d6675aed6d602b9 2 | [{"rule_id":407,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1723541089258,"modify_time":1723541205625,"severity":"SEV_040_HIGH","source":"frank.bussink@swissexpertgroup.com","comment":"BIOC to detect HydraLsPipe RPC calls Terminal Server Licensing\nProne to False Positive, but rarely used","status":"ENABLED","category":"EXECUTION","indicator":null,"indicator_md5":"8a6fb9e9d2bd77ab1c78a2f4a78d9a68","indicator_text":"dataset = xdr_data \r\n| filter EVENT_TYPE = RPC_CALL\r\n| filter event_rpc_interface_uuid = \"{3d267954-eeb7-11d1-b94e-00c04fa3080d}\" ","name":"BIOC-MadLicensing","mitre_technique_id_and_name":"T1021 - Remote Services","mitre_tactic_id_and_name":"TA0002 - Execution","mitre_tactic_id":"TA0002","mitre_technique_id":"T1021","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":0,"btp_validation_error":"UNSUPPORTED_XQL","xql":"{\"stages\":[{\"FILTER\":{\"filter\":{\"OR\":[{\"LEFT\":\"$EVENT_TYPE\",\"OPERATOR\":\"EQ\",\"RIGHT\":\"$RPC_CALL\",\"FILTER_DIALECT\":\"EXTENDED_FILTER_OBJ\"}]}}},{\"FILTER\":{\"filter\":{\"OR\":[{\"LEFT\":\"$event_rpc_interface_uuid\",\"OPERATOR\":\"EQ\",\"RIGHT\":\"{3d267954-eeb7-11d1-b94e-00c04fa3080d}\",\"FILTER_DIALECT\":\"EXTENDED_FILTER_OBJ\"}]}}}],\"original_query\":null,\"tables\":[\"xdr_data\"]}","is_xql":true,"query_tables":"[\"xdr_data\"]","rule_indicator_last_modified_ts":1723541089258,"status_changed_by":null,"status_changed_at":null,"last_status_change_reason":null}] -------------------------------------------------------------------------------- /BIOC-MadLicensing-CVE-2024-38077-RPC-Call.md: -------------------------------------------------------------------------------- 1 | * rule_id: 407 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1723541089258 5 | * modify_time: 1723541205625 6 | * severity: SEV_040_HIGH 7 | * source: frank.bussink@swissexpertgroup.com 8 | * comment: BIOC to detect HydraLsPipe RPC calls Terminal Server Licensing 9 | Prone to False Positive, but rarely used 10 | * status: ENABLED 11 | * category: EXECUTION 12 | * indicator: None 13 | * indicator_md5: 8a6fb9e9d2bd77ab1c78a2f4a78d9a68 14 | * indicator_text: dataset = xdr_data 15 | | filter EVENT_TYPE = RPC_CALL 16 | | filter event_rpc_interface_uuid = "{3d267954-eeb7-11d1-b94e-00c04fa3080d}" 17 | * name: BIOC-MadLicensing 18 | * mitre_technique_id_and_name: T1021 - Remote Services 19 | * mitre_tactic_id_and_name: TA0002 - Execution 20 | * mitre_tactic_id: TA0002 21 | * mitre_technique_id: T1021 22 | * btp_rule: None 23 | * btp_rule_name: None 24 | * is_preventable: 0 25 | * supported_os: 0 26 | * btp_validation_error: UNSUPPORTED_XQL 27 | * xql: {"stages":[{"FILTER":{"filter":{"OR":[{"LEFT":"$EVENT_TYPE","OPERATOR":"EQ","RIGHT":"$RPC_CALL","FILTER_DIALECT":"EXTENDED_FILTER_OBJ"}]}}},{"FILTER":{"filter":{"OR":[{"LEFT":"$event_rpc_interface_uuid","OPERATOR":"EQ","RIGHT":"{3d267954-eeb7-11d1-b94e-00c04fa3080d}","FILTER_DIALECT":"EXTENDED_FILTER_OBJ"}]}}}],"original_query":null,"tables":["xdr_data"]} 28 | * is_xql: True 29 | * query_tables: ["xdr_data"] 30 | * rule_indicator_last_modified_ts: 1723541089258 31 | * status_changed_by: None 32 | * status_changed_at: None 33 | * last_status_change_reason: None 34 | -------------------------------------------------------------------------------- /BIOC-POC-CVE-2024-49112.bioc: -------------------------------------------------------------------------------- 1 | 672d00edeebccc93235f23039a2f550a 2 | [{"rule_id":412,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1735829023643,"modify_time":1735829115651,"severity":"SEV_040_HIGH","source":"frank.bussink@swissexpertgroup.com","comment":"detection of early signs of POC CVE-2024-49112\nVulnerability is in LDAP not in RPC\nhttps:\/\/github.com\/SafeBreach-Labs\/CVE-2024-49112","status":"ENABLED","category":"TAMPERING","indicator":null,"indicator_md5":"3e0d65028d4fe580f8b3dfd75b811884","indicator_text":"dataset = xdr_data \r\n| filter event_type = ENUM.RPC_CALL \r\n| filter (event_rpc_interface_uuid = \"{12345678-1234-ABCD-EF00-01234567CFFB}\" )\r\n|filter (event_rpc_func_opnum = 34)","name":"BIOC-POC-CVE-2024-49112","mitre_technique_id_and_name":"T1498 - Network Denial of Service","mitre_tactic_id_and_name":"","mitre_tactic_id":"","mitre_technique_id":"T1498","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":0,"btp_validation_error":"UNSUPPORTED_XQL","xql":"{\"stages\":[{\"FILTER\":{\"filter\":{\"OR\":[{\"LEFT\":\"$event_type\",\"OPERATOR\":\"EQ\",\"RIGHT\":\"$ENUM.RPC_CALL\",\"FILTER_DIALECT\":\"EXTENDED_FILTER_OBJ\"}]}}},{\"FILTER\":{\"filter\":{\"OR\":[{\"LEFT\":\"$event_rpc_interface_uuid\",\"OPERATOR\":\"EQ\",\"RIGHT\":\"{12345678-1234-ABCD-EF00-01234567CFFB}\",\"FILTER_DIALECT\":\"EXTENDED_FILTER_OBJ\"}]}}},{\"FILTER\":{\"filter\":{\"OR\":[{\"LEFT\":\"$event_rpc_func_opnum\",\"OPERATOR\":\"EQ\",\"RIGHT\":34,\"FILTER_DIALECT\":\"EXTENDED_FILTER_OBJ\"}]}}}],\"original_query\":null,\"tables\":[\"xdr_data\"]}","is_xql":true,"query_tables":"[\"xdr_data\"]","rule_indicator_last_modified_ts":1735829023643,"status_changed_by":null,"status_changed_at":null,"last_status_change_reason":null}] -------------------------------------------------------------------------------- /BIOC-PetitPotam-Authentication-Coercer.bioc: -------------------------------------------------------------------------------- 1 | 57434055d9d9152bba3da822dc54991a 2 | [{"rule_id":388,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1683118061196,"modify_time":1694168591898,"severity":"SEV_040_HIGH","source":"frank.bussink@e-xpertsolutions.com","comment":"SCRT BIOC to detect MS-EFSR RPC calls","status":"ENABLED","category":"CREDENTIAL_ACCESS","indicator":null,"indicator_md5":"f6473e3c9013984ff967251d17884890","indicator_text":"dataset = xdr_data \r\n| filter EVENT_TYPE = RPC_CALL\r\n| filter event_rpc_interface_uuid = \"{C681D488-D850-11D0-8C52-00C04FD90F7E}\" \r\n| filter ((action_rpc_func_opnum = 0) or (action_rpc_func_opnum = 4) or (action_rpc_func_opnum = 5) or (action_rpc_func_opnum = 6) or (action_rpc_func_opnum = 7) or (action_rpc_func_opnum = 8) or (action_rpc_func_opnum = 9) or (action_rpc_func_opnum = 12) or (action_rpc_func_opnum = 13) or(action_rpc_func_opnum = 15)) ","name":"BIOC-PetitPotam-Authentication-Coercer","mitre_technique_id_and_name":"T1003 - OS Credential Dumping","mitre_tactic_id_and_name":"TA0006 - Credential Access","mitre_tactic_id":"TA0006","mitre_technique_id":"T1003","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":0,"btp_validation_error":"UNSUPPORTED_XQL","xql":"{\"tables\": [\"xdr_data\"], \"stages\": [{\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$EVENT_TYPE\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"$RPC_CALL\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$event_rpc_interface_uuid\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"{C681D488-D850-11D0-8C52-00C04FD90F7E}\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"OR\": [{\"OR\": [{\"OR\": [{\"OR\": [{\"OR\": [{\"OR\": [{\"OR\": [{\"OR\": [{\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 0, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 4, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 5, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 6, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 7, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 8, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 9, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 12, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 13, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}, {\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 15, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}]}","is_xql":true,"query_tables":"[\"xdr_data\"]","rule_indicator_last_modified_ts":1694168591976,"status_changed_by":null,"status_changed_at":null,"last_status_change_reason":null}] -------------------------------------------------------------------------------- /BIOC-PetitPotam-Authentication-Coercer.md: -------------------------------------------------------------------------------- 1 | * rule_id: 503 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1638350429925 5 | * modify_time: 1638350456574 6 | * severity: SEV_030_MEDIUM 7 | * source: frank.bussink@scrt.ch 8 | * comment: Privesc cdpsgshims.dll 9 | * status: ENABLED 10 | * category: PRIVILEGE_ESCALATION 11 | * ## Indicator ## 12 | * runOnCGO: False 13 | * investigationType: FILE_EVENT 14 | * ### Investigation ### 15 | * #### File_Event #### 16 | * ##### Filter ##### 17 | * ###### And ###### 18 | * ###### Or ###### 19 | * SEARCH_FIELD: event_sub_type 20 | * SEARCH_TYPE: EQ 21 | * SEARCH_VALUE: 1 22 | * isExtended: False 23 | * SEARCH_FIELD: event_sub_type 24 | * SEARCH_TYPE: EQ 25 | * SEARCH_VALUE: 2 26 | * isExtended: False 27 | * SEARCH_FIELD: event_sub_type 28 | * SEARCH_TYPE: EQ 29 | * SEARCH_VALUE: 3 30 | * isExtended: False 31 | * SEARCH_FIELD: event_sub_type 32 | * SEARCH_TYPE: EQ 33 | * SEARCH_VALUE: 6 34 | * isExtended: False 35 | * SEARCH_FIELD: action_file_name 36 | * SEARCH_TYPE: EQ 37 | * SEARCH_VALUE: cdpsgshims.dll 38 | * ###### Extra_Fields ###### 39 | * isExtended: False 40 | * node: attributes 41 | * indicator_md5: a5d8fbe26ddbd7f48f8b4f660ed52866 42 | * indicator_text: File action type = create, read, rename, write AND file name = cdpsgshims.dll 43 | * name: SCRT cdpsgshims.dll created to disk 44 | * mitre_technique_id_and_name: T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking 45 | * mitre_tactic_id_and_name: TA0004 - Privilege Escalation 46 | * mitre_tactic_id: TA0004 47 | * mitre_technique_id: T1574.001 48 | * ## Btp_Rule ## 49 | * ### Agent_Os_Windows ### 50 | * #### Signatureconfiguration #### 51 | * ##### Default ##### 52 | * ###### Settings ###### 53 | * action: block 54 | * friendlyName: SCRT cdpsgshims.dll created to disk 55 | * ###### Tactic_Id ###### 56 | * 0: TA0004 57 | * ###### Technique_Id ###### 58 | * 0: T1574.001 59 | * biocRuleName: SCRT cdpsgshims.dll created to disk 60 | * biocId: 503 61 | * additionalData: {} 62 | * rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid)))) 63 | * ### Agent_Os_Mac ### 64 | * #### Signatureconfiguration #### 65 | * ##### Default ##### 66 | * ###### Settings ###### 67 | * action: block 68 | * friendlyName: SCRT cdpsgshims.dll created to disk 69 | * ###### Tactic_Id ###### 70 | * 0: TA0004 71 | * ###### Technique_Id ###### 72 | * 0: T1574.001 73 | * biocRuleName: SCRT cdpsgshims.dll created to disk 74 | * biocId: 503 75 | * additionalData: {} 76 | * rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid)))) 77 | * ### Agent_Os_Linux ### 78 | * #### Signatureconfiguration #### 79 | * ##### Default ##### 80 | * ###### Settings ###### 81 | * action: block 82 | * friendlyName: SCRT cdpsgshims.dll created to disk 83 | * ###### Tactic_Id ###### 84 | * 0: TA0004 85 | * ###### Technique_Id ###### 86 | * 0: T1574.001 87 | * biocRuleName: SCRT cdpsgshims.dll created to disk 88 | * biocId: 503 89 | * additionalData: {} 90 | * rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq (lowcase ?file_name) "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid)))) 91 | * btp_rule_name: file_operation_503 92 | * is_preventable: 1 93 | * supported_os: 7 94 | * btp_validation_error: None 95 | * xql: None 96 | * is_xql: False 97 | * query_tables: None 98 | * rule_id: 502 99 | * global_rule_id: NO_ID 100 | * mssp_global_rule_id: None 101 | * insert_time: 1638350268266 102 | * modify_time: 1638353935456 103 | * severity: SEV_040_HIGH 104 | * source: frank.bussink@scrt.ch 105 | * comment: Created by F. Bussink SCRT 106 | * status: ENABLED 107 | * category: EXECUTION 108 | * ## Indicator ## 109 | * runOnCGO: True 110 | * investigationType: PROCESS_EXECUTION_EVENT 111 | * ### Investigation ### 112 | * #### Process_Execution_Event #### 113 | * ##### Filter ##### 114 | * ###### And ###### 115 | * SEARCH_FIELD: agent_os_type 116 | * SEARCH_TYPE: NEQ 117 | * SEARCH_VALUE: 4 118 | * ###### Extra_Fields ###### 119 | * isExtended: False 120 | * node: xdr_agent 121 | * SEARCH_FIELD: action_process_signature_status 122 | * SEARCH_TYPE: COMPLEX_EQ 123 | * SEARCH_VALUE: {"COLLECTION_TYPE": "SIGNATURE_STATUS", "COLLECTION_VALUE": "SIGNATURE_SIGNED"} 124 | * ###### Extra_Fields ###### 125 | * isExtended: False 126 | * SEARCH_FIELD: action_process_signature_vendor 127 | * SEARCH_TYPE: REGEX 128 | * SEARCH_VALUE: Jetico.* 129 | * ###### Extra_Fields ###### 130 | * isExtended: False 131 | * indicator_md5: ca1b0c73d6ed6af725f54b8f6165913f 132 | * indicator_text: Process action type = execution AND process execution signature = Signed AND process execution signer =~ Jetico.* Host host os != linux 133 | * name: SCRT JETICO Signed binary 134 | * mitre_technique_id_and_name: 135 | * mitre_tactic_id_and_name: 136 | * mitre_tactic_id: 137 | * mitre_technique_id: 138 | * ## Btp_Rule ## 139 | * ### Agent_Os_Windows ### 140 | * #### Signatureconfiguration #### 141 | * ##### Default ##### 142 | * ###### Settings ###### 143 | * action: block 144 | * friendlyName: SCRT JETICO Signed binary 145 | * ###### Tactic_Id ###### 146 | * ###### Technique_Id ###### 147 | * biocRuleName: SCRT JETICO Signed binary 148 | * biocId: 502 149 | * additionalData: {} 150 | * rule_data: (deftemplate process_start_502 (slot cid)) (defrule process_start_502 (process_start (is_sign ?is_sign) (cid ?cid) (signer_name ?signer_name &: (and (eq ?is_sign ?*signature_state_signed*) (regex (lowcase ?signer_name) "jetico.*" 0)))) (not (process_start_502 (cid ?cid))) => (assert (process_start_502 (cid ?cid)))) 151 | * btp_rule_name: process_start_502 152 | * is_preventable: 1 153 | * supported_os: 1 154 | * btp_validation_error: WINDOWS_SUPPORT_ONLY 155 | * xql: None 156 | * is_xql: False 157 | * query_tables: None 158 | * rule_id: 393 159 | * global_rule_id: NO_ID 160 | * mssp_global_rule_id: None 161 | * insert_time: 1684854242506 162 | * modify_time: 1684854242506 163 | * severity: SEV_040_HIGH 164 | * source: frank.bussink@e-xpertsolutions.com 165 | * comment: This is trigguered when a TGS has been request for the canary account (in attempt to bruteforce the password) 166 | * status: ENABLED 167 | * category: CREDENTIAL_ACCESS 168 | * indicator: None 169 | * indicator_md5: 8b554c9ad93cfd962b8cfa237fc99914 170 | * indicator_text: dataset = xdr_data // Using the xdr dataset 171 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4769 172 | | alter ServiceName = json_extract(action_evtlog_data_fields,"$.ServiceName") 173 | | alter ServiceName = trim(ServiceName,"\"") 174 | | alter TicketEncryptionType = json_extract(action_evtlog_data_fields,"$.TicketEncryptionType") 175 | | alter TicketOptions= json_extract(action_evtlog_data_fields,"$.TicketOptions") 176 | | alter TargetUserName= json_extract(action_evtlog_data_fields,"$.TargetUserName") 177 | | alter IpAddress= json_extract(action_evtlog_data_fields,"$.IpAddress") 178 | | alter TicketEncryptionTypeName = "" 179 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x1", "DES-CBC-CRC", TicketEncryptionTypeName) 180 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x3", "DES-CBC-MD5", TicketEncryptionTypeName ) 181 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x11", "AES128-CTS-HMAC-SHA1-96", TicketEncryptionTypeName) 182 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x12", "AES256-CTS-HMAC-SHA1-96", TicketEncryptionTypeName) 183 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x17", "RC4-HMAC", TicketEncryptionTypeName) 184 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x18", "RC4-HMAC-EXP", TicketEncryptionTypeName) 185 | | alter TicketOptionsName = "" 186 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x40810010", "Forwardable, Renewable, Canonicalize, Renewable-ok", TicketOptionsName) 187 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x40810000", "Forwardable, Renewable, Canonicalize", TicketOptionsName) 188 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x60810010", "Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok", TicketOptionsName) 189 | | filter (ServiceName = "sqlsvc") 190 | * name: BIOC-Kerberoasting Canary account 191 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 192 | * mitre_tactic_id_and_name: TA0006 - Credential Access 193 | * mitre_tactic_id: TA0006 194 | * mitre_technique_id: T1003 195 | * btp_rule: None 196 | * btp_rule_name: None 197 | * is_preventable: 0 198 | * supported_os: None 199 | * btp_validation_error: None 200 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"AND": [{"LEFT": "$event_type", "OPERATOR": "EQ", "RIGHT": "$ENUM.EVENT_LOG", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$action_evtlog_event_id", "OPERATOR": "EQ", "RIGHT": 4769, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"ADD_FIELDS": {"fields": [{"name": "ServiceName", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.ServiceName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "ServiceName", "source": {"function": "string_trim", "parameters": ["$ServiceName", "\""]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionType", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TicketEncryptionType"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptions", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TicketOptions"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TargetUserName", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TargetUserName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "IpAddress", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.IpAddress"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": ""}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x1", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "DES-CBC-CRC"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x3", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "DES-CBC-MD5"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x11", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "AES128-CTS-HMAC-SHA1-96"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x12", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "AES256-CTS-HMAC-SHA1-96"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x17", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "RC4-HMAC"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x18", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "RC4-HMAC-EXP"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": ""}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x40810010", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Renewable, Canonicalize, Renewable-ok"]], "$TicketOptionsName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x40810000", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Renewable, Canonicalize"]], "$TicketOptionsName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x60810010", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok"]], "$TicketOptionsName"]}}]}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$ServiceName", "OPERATOR": "EQ", "RIGHT": "sqlsvc", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 201 | * is_xql: True 202 | * query_tables: ["xdr_data"] 203 | * rule_indicator_last_modified_ts: 1684854242506 204 | * rule_id: 388 205 | * global_rule_id: NO_ID 206 | * mssp_global_rule_id: None 207 | * insert_time: 1683118061196 208 | * modify_time: 1694168591898 209 | * severity: SEV_040_HIGH 210 | * source: frank.bussink@e-xpertsolutions.com 211 | * comment: SCRT BIOC to detect MS-EFSR RPC calls 212 | * status: ENABLED 213 | * category: CREDENTIAL_ACCESS 214 | * indicator: None 215 | * indicator_md5: f6473e3c9013984ff967251d17884890 216 | * indicator_text: dataset = xdr_data 217 | | filter EVENT_TYPE = RPC_CALL 218 | | filter event_rpc_interface_uuid = "{C681D488-D850-11D0-8C52-00C04FD90F7E}" 219 | | filter ((action_rpc_func_opnum = 0) or (action_rpc_func_opnum = 4) or (action_rpc_func_opnum = 5) or (action_rpc_func_opnum = 6) or (action_rpc_func_opnum = 7) or (action_rpc_func_opnum = 8) or (action_rpc_func_opnum = 9) or (action_rpc_func_opnum = 12) or (action_rpc_func_opnum = 13) or(action_rpc_func_opnum = 15)) 220 | * name: BIOC-PetitPotam-Authentication-Coercer 221 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 222 | * mitre_tactic_id_and_name: TA0006 - Credential Access 223 | * mitre_tactic_id: TA0006 224 | * mitre_technique_id: T1003 225 | * btp_rule: None 226 | * btp_rule_name: None 227 | * is_preventable: 0 228 | * supported_os: 0 229 | * btp_validation_error: UNSUPPORTED_XQL 230 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$EVENT_TYPE", "OPERATOR": "EQ", "RIGHT": "$RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{C681D488-D850-11D0-8C52-00C04FD90F7E}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 0, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 4, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 5, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 6, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 7, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 8, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 9, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 12, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 13, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 15, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 231 | * is_xql: True 232 | * query_tables: ["xdr_data"] 233 | * rule_indicator_last_modified_ts: 1694168591976 234 | * status_changed_by: None 235 | * status_changed_at: None 236 | * last_status_change_reason: None 237 | -------------------------------------------------------------------------------- /BIOC-PetitPotam-EventLog-ElfrOpenBELW.bioc: -------------------------------------------------------------------------------- 1 | a787b179c49be8370e26ac50da4ec774 2 | [{"rule_id":397,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1694169318013,"modify_time":1694169318013,"severity":"SEV_040_HIGH","source":"frank.bussink@e-xpertsolutions.com","comment":"E-XpertSolutions BIOC to detect Coerce project","status":"ENABLED","category":"CREDENTIAL_ACCESS","indicator":null,"indicator_md5":"584883bf13f35adb2d803c0525401140","indicator_text":"dataset = xdr_data \r\n| filter EVENT_TYPE = RPC_CALL\r\n| filter event_rpc_interface_uuid = \"{82273FDC-E32A-18C3-3F78-827929DC23EA}\" \r\n| filter (action_rpc_func_opnum = 9)","name":"BIOC-PetitPotam-EventLog-ElfrOpenBELW","mitre_technique_id_and_name":"T1003 - OS Credential Dumping","mitre_tactic_id_and_name":"TA0006 - Credential Access","mitre_tactic_id":"TA0006","mitre_technique_id":"T1003","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":null,"btp_validation_error":null,"xql":"{\"tables\": [\"xdr_data\"], \"stages\": [{\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$EVENT_TYPE\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"$RPC_CALL\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$event_rpc_interface_uuid\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"{82273FDC-E32A-18C3-3F78-827929DC23EA}\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 9, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}]}","is_xql":true,"query_tables":"[\"xdr_data\"]","rule_indicator_last_modified_ts":1694169318013,"status_changed_by":null,"status_changed_at":null,"last_status_change_reason":null}] -------------------------------------------------------------------------------- /BIOC-PetitPotam-EventLog-ElfrOpenBELW.md: -------------------------------------------------------------------------------- 1 | * rule_id: 397 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1694169318013 5 | * modify_time: 1694169318013 6 | * severity: SEV_040_HIGH 7 | * source: frank.bussink@e-xpertsolutions.com 8 | * comment: E-XpertSolutions BIOC to detect Coerce project 9 | * status: ENABLED 10 | * category: CREDENTIAL_ACCESS 11 | * indicator: None 12 | * indicator_md5: 584883bf13f35adb2d803c0525401140 13 | * indicator_text: dataset = xdr_data 14 | | filter EVENT_TYPE = RPC_CALL 15 | | filter event_rpc_interface_uuid = "{82273FDC-E32A-18C3-3F78-827929DC23EA}" 16 | | filter (action_rpc_func_opnum = 9) 17 | * name: BIOC-PetitPotam-EventLog-ElfrOpenBELW 18 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 19 | * mitre_tactic_id_and_name: TA0006 - Credential Access 20 | * mitre_tactic_id: TA0006 21 | * mitre_technique_id: T1003 22 | * btp_rule: None 23 | * btp_rule_name: None 24 | * is_preventable: 0 25 | * supported_os: None 26 | * btp_validation_error: None 27 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$EVENT_TYPE", "OPERATOR": "EQ", "RIGHT": "$RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{82273FDC-E32A-18C3-3F78-827929DC23EA}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 9, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 28 | * is_xql: True 29 | * query_tables: ["xdr_data"] 30 | * rule_indicator_last_modified_ts: 1694169318013 31 | * status_changed_by: None 32 | * status_changed_at: None 33 | * last_status_change_reason: None 34 | -------------------------------------------------------------------------------- /BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.bioc: -------------------------------------------------------------------------------- 1 | ecfc779125a45aa6b750c79f5161edf0 2 | [{"rule_id":537,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1658410759398,"modify_time":1658410759398,"severity":"SEV_020_LOW","source":"frank.bussink@scrt.ch","comment":"SCRT rule to detect Authentication Coerce PetitPotam on MS-DFSNM Op 12 or Op 13","status":"ENABLED","category":"CREDENTIAL_ACCESS","indicator":null,"indicator_md5":"a8d61ecc099487a2152fe07ca680bf06","indicator_text":"dataset = xdr_data\r\n| filter event_type = ENUM.RPC_CALL\r\n| filter (event_rpc_interface_uuid = \"{4FC742E0-4A10-11CF-8273-00AA004AE673}\" )\r\n| filter ((event_rpc_func_opnum = 12) or (event_rpc_func_opnum = 13))\r\n","name":"SCRT_PetitPotam_MS_DFSNM_Authentication_Coerce","mitre_technique_id_and_name":"T1003 - OS Credential Dumping","mitre_tactic_id_and_name":"TA0006 - Credential Access","mitre_tactic_id":"TA0006","mitre_technique_id":"T1003","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":null,"btp_validation_error":null,"xql":"{\"tables\": [\"xdr_data\"], \"stages\": [{\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$event_type\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"$ENUM.RPC_CALL\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$event_rpc_interface_uuid\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"{4FC742E0-4A10-11CF-8273-00AA004AE673}\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$event_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 12, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}, {\"LEFT\": \"$event_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 13, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}]}","is_xql":true,"query_tables":"[\"xdr_data\"]","rule_indicator_last_modified_ts":1658410759398}] 3 | -------------------------------------------------------------------------------- /BIOC-PetitPotam_DFSNM_Authenticaton_Coercer.md: -------------------------------------------------------------------------------- 1 | * rule_id: 503 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1638350429925 5 | * modify_time: 1638350456574 6 | * severity: SEV_030_MEDIUM 7 | * source: frank.bussink@scrt.ch 8 | * comment: Privesc cdpsgshims.dll 9 | * status: ENABLED 10 | * category: PRIVILEGE_ESCALATION 11 | * ## Indicator ## 12 | * runOnCGO: False 13 | * investigationType: FILE_EVENT 14 | * ### Investigation ### 15 | * #### File_Event #### 16 | * ##### Filter ##### 17 | * ###### And ###### 18 | * ###### Or ###### 19 | * SEARCH_FIELD: event_sub_type 20 | * SEARCH_TYPE: EQ 21 | * SEARCH_VALUE: 1 22 | * isExtended: False 23 | * SEARCH_FIELD: event_sub_type 24 | * SEARCH_TYPE: EQ 25 | * SEARCH_VALUE: 2 26 | * isExtended: False 27 | * SEARCH_FIELD: event_sub_type 28 | * SEARCH_TYPE: EQ 29 | * SEARCH_VALUE: 3 30 | * isExtended: False 31 | * SEARCH_FIELD: event_sub_type 32 | * SEARCH_TYPE: EQ 33 | * SEARCH_VALUE: 6 34 | * isExtended: False 35 | * SEARCH_FIELD: action_file_name 36 | * SEARCH_TYPE: EQ 37 | * SEARCH_VALUE: cdpsgshims.dll 38 | * ###### Extra_Fields ###### 39 | * isExtended: False 40 | * node: attributes 41 | * indicator_md5: a5d8fbe26ddbd7f48f8b4f660ed52866 42 | * indicator_text: File action type = create, read, rename, write AND file name = cdpsgshims.dll 43 | * name: SCRT cdpsgshims.dll created to disk 44 | * mitre_technique_id_and_name: T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking 45 | * mitre_tactic_id_and_name: TA0004 - Privilege Escalation 46 | * mitre_tactic_id: TA0004 47 | * mitre_technique_id: T1574.001 48 | * ## Btp_Rule ## 49 | * ### Agent_Os_Windows ### 50 | * #### Signatureconfiguration #### 51 | * ##### Default ##### 52 | * ###### Settings ###### 53 | * action: block 54 | * friendlyName: SCRT cdpsgshims.dll created to disk 55 | * ###### Tactic_Id ###### 56 | * 0: TA0004 57 | * ###### Technique_Id ###### 58 | * 0: T1574.001 59 | * biocRuleName: SCRT cdpsgshims.dll created to disk 60 | * biocId: 503 61 | * additionalData: {} 62 | * rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid)))) 63 | * ### Agent_Os_Mac ### 64 | * #### Signatureconfiguration #### 65 | * ##### Default ##### 66 | * ###### Settings ###### 67 | * action: block 68 | * friendlyName: SCRT cdpsgshims.dll created to disk 69 | * ###### Tactic_Id ###### 70 | * 0: TA0004 71 | * ###### Technique_Id ###### 72 | * 0: T1574.001 73 | * biocRuleName: SCRT cdpsgshims.dll created to disk 74 | * biocId: 503 75 | * additionalData: {} 76 | * rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid)))) 77 | * ### Agent_Os_Linux ### 78 | * #### Signatureconfiguration #### 79 | * ##### Default ##### 80 | * ###### Settings ###### 81 | * action: block 82 | * friendlyName: SCRT cdpsgshims.dll created to disk 83 | * ###### Tactic_Id ###### 84 | * 0: TA0004 85 | * ###### Technique_Id ###### 86 | * 0: T1574.001 87 | * biocRuleName: SCRT cdpsgshims.dll created to disk 88 | * biocId: 503 89 | * additionalData: {} 90 | * rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq (lowcase ?file_name) "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid)))) 91 | * btp_rule_name: file_operation_503 92 | * is_preventable: 1 93 | * supported_os: 7 94 | * btp_validation_error: None 95 | * xql: None 96 | * is_xql: False 97 | * query_tables: None 98 | * rule_id: 502 99 | * global_rule_id: NO_ID 100 | * mssp_global_rule_id: None 101 | * insert_time: 1638350268266 102 | * modify_time: 1638353935456 103 | * severity: SEV_040_HIGH 104 | * source: frank.bussink@scrt.ch 105 | * comment: Created by F. Bussink SCRT 106 | * status: ENABLED 107 | * category: EXECUTION 108 | * ## Indicator ## 109 | * runOnCGO: True 110 | * investigationType: PROCESS_EXECUTION_EVENT 111 | * ### Investigation ### 112 | * #### Process_Execution_Event #### 113 | * ##### Filter ##### 114 | * ###### And ###### 115 | * SEARCH_FIELD: agent_os_type 116 | * SEARCH_TYPE: NEQ 117 | * SEARCH_VALUE: 4 118 | * ###### Extra_Fields ###### 119 | * isExtended: False 120 | * node: xdr_agent 121 | * SEARCH_FIELD: action_process_signature_status 122 | * SEARCH_TYPE: COMPLEX_EQ 123 | * SEARCH_VALUE: {"COLLECTION_TYPE": "SIGNATURE_STATUS", "COLLECTION_VALUE": "SIGNATURE_SIGNED"} 124 | * ###### Extra_Fields ###### 125 | * isExtended: False 126 | * SEARCH_FIELD: action_process_signature_vendor 127 | * SEARCH_TYPE: REGEX 128 | * SEARCH_VALUE: Jetico.* 129 | * ###### Extra_Fields ###### 130 | * isExtended: False 131 | * indicator_md5: ca1b0c73d6ed6af725f54b8f6165913f 132 | * indicator_text: Process action type = execution AND process execution signature = Signed AND process execution signer =~ Jetico.* Host host os != linux 133 | * name: SCRT JETICO Signed binary 134 | * mitre_technique_id_and_name: 135 | * mitre_tactic_id_and_name: 136 | * mitre_tactic_id: 137 | * mitre_technique_id: 138 | * ## Btp_Rule ## 139 | * ### Agent_Os_Windows ### 140 | * #### Signatureconfiguration #### 141 | * ##### Default ##### 142 | * ###### Settings ###### 143 | * action: block 144 | * friendlyName: SCRT JETICO Signed binary 145 | * ###### Tactic_Id ###### 146 | * ###### Technique_Id ###### 147 | * biocRuleName: SCRT JETICO Signed binary 148 | * biocId: 502 149 | * additionalData: {} 150 | * rule_data: (deftemplate process_start_502 (slot cid)) (defrule process_start_502 (process_start (is_sign ?is_sign) (cid ?cid) (signer_name ?signer_name &: (and (eq ?is_sign ?*signature_state_signed*) (regex (lowcase ?signer_name) "jetico.*" 0)))) (not (process_start_502 (cid ?cid))) => (assert (process_start_502 (cid ?cid)))) 151 | * btp_rule_name: process_start_502 152 | * is_preventable: 1 153 | * supported_os: 1 154 | * btp_validation_error: WINDOWS_SUPPORT_ONLY 155 | * xql: None 156 | * is_xql: False 157 | * query_tables: None 158 | * rule_id: 393 159 | * global_rule_id: NO_ID 160 | * mssp_global_rule_id: None 161 | * insert_time: 1684854242506 162 | * modify_time: 1684854242506 163 | * severity: SEV_040_HIGH 164 | * source: frank.bussink@e-xpertsolutions.com 165 | * comment: This is trigguered when a TGS has been request for the canary account (in attempt to bruteforce the password) 166 | * status: ENABLED 167 | * category: CREDENTIAL_ACCESS 168 | * indicator: None 169 | * indicator_md5: 8b554c9ad93cfd962b8cfa237fc99914 170 | * indicator_text: dataset = xdr_data // Using the xdr dataset 171 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4769 172 | | alter ServiceName = json_extract(action_evtlog_data_fields,"$.ServiceName") 173 | | alter ServiceName = trim(ServiceName,"\"") 174 | | alter TicketEncryptionType = json_extract(action_evtlog_data_fields,"$.TicketEncryptionType") 175 | | alter TicketOptions= json_extract(action_evtlog_data_fields,"$.TicketOptions") 176 | | alter TargetUserName= json_extract(action_evtlog_data_fields,"$.TargetUserName") 177 | | alter IpAddress= json_extract(action_evtlog_data_fields,"$.IpAddress") 178 | | alter TicketEncryptionTypeName = "" 179 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x1", "DES-CBC-CRC", TicketEncryptionTypeName) 180 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x3", "DES-CBC-MD5", TicketEncryptionTypeName ) 181 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x11", "AES128-CTS-HMAC-SHA1-96", TicketEncryptionTypeName) 182 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x12", "AES256-CTS-HMAC-SHA1-96", TicketEncryptionTypeName) 183 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x17", "RC4-HMAC", TicketEncryptionTypeName) 184 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x18", "RC4-HMAC-EXP", TicketEncryptionTypeName) 185 | | alter TicketOptionsName = "" 186 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x40810010", "Forwardable, Renewable, Canonicalize, Renewable-ok", TicketOptionsName) 187 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x40810000", "Forwardable, Renewable, Canonicalize", TicketOptionsName) 188 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x60810010", "Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok", TicketOptionsName) 189 | | filter (ServiceName = "sqlsvc") 190 | * name: BIOC-Kerberoasting Canary account 191 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 192 | * mitre_tactic_id_and_name: TA0006 - Credential Access 193 | * mitre_tactic_id: TA0006 194 | * mitre_technique_id: T1003 195 | * btp_rule: None 196 | * btp_rule_name: None 197 | * is_preventable: 0 198 | * supported_os: None 199 | * btp_validation_error: None 200 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"AND": [{"LEFT": "$event_type", "OPERATOR": "EQ", "RIGHT": "$ENUM.EVENT_LOG", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$action_evtlog_event_id", "OPERATOR": "EQ", "RIGHT": 4769, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"ADD_FIELDS": {"fields": [{"name": "ServiceName", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.ServiceName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "ServiceName", "source": {"function": "string_trim", "parameters": ["$ServiceName", "\""]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionType", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TicketEncryptionType"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptions", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TicketOptions"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TargetUserName", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TargetUserName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "IpAddress", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.IpAddress"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": ""}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x1", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "DES-CBC-CRC"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x3", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "DES-CBC-MD5"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x11", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "AES128-CTS-HMAC-SHA1-96"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x12", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "AES256-CTS-HMAC-SHA1-96"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x17", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "RC4-HMAC"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x18", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "RC4-HMAC-EXP"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": ""}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x40810010", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Renewable, Canonicalize, Renewable-ok"]], "$TicketOptionsName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x40810000", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Renewable, Canonicalize"]], "$TicketOptionsName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x60810010", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok"]], "$TicketOptionsName"]}}]}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$ServiceName", "OPERATOR": "EQ", "RIGHT": "sqlsvc", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 201 | * is_xql: True 202 | * query_tables: ["xdr_data"] 203 | * rule_indicator_last_modified_ts: 1684854242506 204 | * rule_id: 388 205 | * global_rule_id: NO_ID 206 | * mssp_global_rule_id: None 207 | * insert_time: 1683118061196 208 | * modify_time: 1694168591898 209 | * severity: SEV_040_HIGH 210 | * source: frank.bussink@e-xpertsolutions.com 211 | * comment: SCRT BIOC to detect MS-EFSR RPC calls 212 | * status: ENABLED 213 | * category: CREDENTIAL_ACCESS 214 | * indicator: None 215 | * indicator_md5: f6473e3c9013984ff967251d17884890 216 | * indicator_text: dataset = xdr_data 217 | | filter EVENT_TYPE = RPC_CALL 218 | | filter event_rpc_interface_uuid = "{C681D488-D850-11D0-8C52-00C04FD90F7E}" 219 | | filter ((action_rpc_func_opnum = 0) or (action_rpc_func_opnum = 4) or (action_rpc_func_opnum = 5) or (action_rpc_func_opnum = 6) or (action_rpc_func_opnum = 7) or (action_rpc_func_opnum = 8) or (action_rpc_func_opnum = 9) or (action_rpc_func_opnum = 12) or (action_rpc_func_opnum = 13) or(action_rpc_func_opnum = 15)) 220 | * name: BIOC-PetitPotam-Authentication-Coercer 221 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 222 | * mitre_tactic_id_and_name: TA0006 - Credential Access 223 | * mitre_tactic_id: TA0006 224 | * mitre_technique_id: T1003 225 | * btp_rule: None 226 | * btp_rule_name: None 227 | * is_preventable: 0 228 | * supported_os: 0 229 | * btp_validation_error: UNSUPPORTED_XQL 230 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$EVENT_TYPE", "OPERATOR": "EQ", "RIGHT": "$RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{C681D488-D850-11D0-8C52-00C04FD90F7E}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 0, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 4, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 5, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 6, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 7, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 8, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 9, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 12, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 13, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 15, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 231 | * is_xql: True 232 | * query_tables: ["xdr_data"] 233 | * rule_indicator_last_modified_ts: 1694168591976 234 | * status_changed_by: None 235 | * status_changed_at: None 236 | * last_status_change_reason: None 237 | * rule_id: 397 238 | * global_rule_id: NO_ID 239 | * mssp_global_rule_id: None 240 | * insert_time: 1694169318013 241 | * modify_time: 1694169318013 242 | * severity: SEV_040_HIGH 243 | * source: frank.bussink@e-xpertsolutions.com 244 | * comment: E-XpertSolutions BIOC to detect Coerce project 245 | * status: ENABLED 246 | * category: CREDENTIAL_ACCESS 247 | * indicator: None 248 | * indicator_md5: 584883bf13f35adb2d803c0525401140 249 | * indicator_text: dataset = xdr_data 250 | | filter EVENT_TYPE = RPC_CALL 251 | | filter event_rpc_interface_uuid = "{82273FDC-E32A-18C3-3F78-827929DC23EA}" 252 | | filter (action_rpc_func_opnum = 9) 253 | * name: BIOC-PetitPotam-EventLog-ElfrOpenBELW 254 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 255 | * mitre_tactic_id_and_name: TA0006 - Credential Access 256 | * mitre_tactic_id: TA0006 257 | * mitre_technique_id: T1003 258 | * btp_rule: None 259 | * btp_rule_name: None 260 | * is_preventable: 0 261 | * supported_os: None 262 | * btp_validation_error: None 263 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$EVENT_TYPE", "OPERATOR": "EQ", "RIGHT": "$RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{82273FDC-E32A-18C3-3F78-827929DC23EA}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 9, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 264 | * is_xql: True 265 | * query_tables: ["xdr_data"] 266 | * rule_indicator_last_modified_ts: 1694169318013 267 | * status_changed_by: None 268 | * status_changed_at: None 269 | * last_status_change_reason: None 270 | * rule_id: 537 271 | * global_rule_id: NO_ID 272 | * mssp_global_rule_id: None 273 | * insert_time: 1658410759398 274 | * modify_time: 1658410759398 275 | * severity: SEV_020_LOW 276 | * source: frank.bussink@scrt.ch 277 | * comment: SCRT rule to detect Authentication Coerce PetitPotam on MS-DFSNM Op 12 or Op 13 278 | * status: ENABLED 279 | * category: CREDENTIAL_ACCESS 280 | * indicator: None 281 | * indicator_md5: a8d61ecc099487a2152fe07ca680bf06 282 | * indicator_text: dataset = xdr_data 283 | | filter event_type = ENUM.RPC_CALL 284 | | filter (event_rpc_interface_uuid = "{4FC742E0-4A10-11CF-8273-00AA004AE673}" ) 285 | | filter ((event_rpc_func_opnum = 12) or (event_rpc_func_opnum = 13)) 286 | 287 | * name: SCRT_PetitPotam_MS_DFSNM_Authentication_Coerce 288 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 289 | * mitre_tactic_id_and_name: TA0006 - Credential Access 290 | * mitre_tactic_id: TA0006 291 | * mitre_technique_id: T1003 292 | * btp_rule: None 293 | * btp_rule_name: None 294 | * is_preventable: 0 295 | * supported_os: None 296 | * btp_validation_error: None 297 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$event_type", "OPERATOR": "EQ", "RIGHT": "$ENUM.RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{4FC742E0-4A10-11CF-8273-00AA004AE673}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 12, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$event_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 13, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 298 | * is_xql: True 299 | * query_tables: ["xdr_data"] 300 | * rule_indicator_last_modified_ts: 1658410759398 301 | -------------------------------------------------------------------------------- /BIOC-PetitPotam_Spoolss_Authentication_Coercer.bioc: -------------------------------------------------------------------------------- 1 | 00de32ae2b959e17d36946a2d0c5d687 2 | [{"rule_id":535,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1658397007681,"modify_time":1658410787888,"severity":"SEV_020_LOW","source":"frank.bussink@scrt.ch","comment":"SCRT BIOC to detect MS-RPRN RpcRemoteFindFirstPrinterChangeNotificationEx","status":"ENABLED","category":"CREDENTIAL_ACCESS","indicator":null,"indicator_md5":"2b19fe216d6e1efff594f0453f07dc67","indicator_text":"dataset = xdr_data \r\n| filter EVENT_TYPE = RPC_CALL\r\n| filter event_rpc_interface_uuid = \"{12345678-1234-ABCD-EF00-0123456789AB}\" \r\n| filter ((action_rpc_func_opnum = 65) ) ","name":"SCRT-PetitPotam-Spoolss-Authentication-Coercer","mitre_technique_id_and_name":"","mitre_tactic_id_and_name":"","mitre_tactic_id":"","mitre_technique_id":"","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":0,"btp_validation_error":"UNSUPPORTED_XQL","xql":"{\"tables\": [\"xdr_data\"], \"stages\": [{\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$EVENT_TYPE\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"$RPC_CALL\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$event_rpc_interface_uuid\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"{12345678-1234-ABCD-EF00-0123456789AB}\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$action_rpc_func_opnum\", \"OPERATOR\": \"EQ\", \"RIGHT\": 65, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}]}","is_xql":true,"query_tables":"[\"xdr_data\"]","rule_indicator_last_modified_ts":1658404769097}] 3 | -------------------------------------------------------------------------------- /BIOC-PetitPotam_Spoolss_Authentication_Coercer.md: -------------------------------------------------------------------------------- 1 | * rule_id: 503 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1638350429925 5 | * modify_time: 1638350456574 6 | * severity: SEV_030_MEDIUM 7 | * source: frank.bussink@scrt.ch 8 | * comment: Privesc cdpsgshims.dll 9 | * status: ENABLED 10 | * category: PRIVILEGE_ESCALATION 11 | * ## Indicator ## 12 | * runOnCGO: False 13 | * investigationType: FILE_EVENT 14 | * ### Investigation ### 15 | * #### File_Event #### 16 | * ##### Filter ##### 17 | * ###### And ###### 18 | * ###### Or ###### 19 | * SEARCH_FIELD: event_sub_type 20 | * SEARCH_TYPE: EQ 21 | * SEARCH_VALUE: 1 22 | * isExtended: False 23 | * SEARCH_FIELD: event_sub_type 24 | * SEARCH_TYPE: EQ 25 | * SEARCH_VALUE: 2 26 | * isExtended: False 27 | * SEARCH_FIELD: event_sub_type 28 | * SEARCH_TYPE: EQ 29 | * SEARCH_VALUE: 3 30 | * isExtended: False 31 | * SEARCH_FIELD: event_sub_type 32 | * SEARCH_TYPE: EQ 33 | * SEARCH_VALUE: 6 34 | * isExtended: False 35 | * SEARCH_FIELD: action_file_name 36 | * SEARCH_TYPE: EQ 37 | * SEARCH_VALUE: cdpsgshims.dll 38 | * ###### Extra_Fields ###### 39 | * isExtended: False 40 | * node: attributes 41 | * indicator_md5: a5d8fbe26ddbd7f48f8b4f660ed52866 42 | * indicator_text: File action type = create, read, rename, write AND file name = cdpsgshims.dll 43 | * name: SCRT cdpsgshims.dll created to disk 44 | * mitre_technique_id_and_name: T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking 45 | * mitre_tactic_id_and_name: TA0004 - Privilege Escalation 46 | * mitre_tactic_id: TA0004 47 | * mitre_technique_id: T1574.001 48 | * ## Btp_Rule ## 49 | * ### Agent_Os_Windows ### 50 | * #### Signatureconfiguration #### 51 | * ##### Default ##### 52 | * ###### Settings ###### 53 | * action: block 54 | * friendlyName: SCRT cdpsgshims.dll created to disk 55 | * ###### Tactic_Id ###### 56 | * 0: TA0004 57 | * ###### Technique_Id ###### 58 | * 0: T1574.001 59 | * biocRuleName: SCRT cdpsgshims.dll created to disk 60 | * biocId: 503 61 | * additionalData: {} 62 | * rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid)))) 63 | * ### Agent_Os_Mac ### 64 | * #### Signatureconfiguration #### 65 | * ##### Default ##### 66 | * ###### Settings ###### 67 | * action: block 68 | * friendlyName: SCRT cdpsgshims.dll created to disk 69 | * ###### Tactic_Id ###### 70 | * 0: TA0004 71 | * ###### Technique_Id ###### 72 | * 0: T1574.001 73 | * biocRuleName: SCRT cdpsgshims.dll created to disk 74 | * biocId: 503 75 | * additionalData: {} 76 | * rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid)))) 77 | * ### Agent_Os_Linux ### 78 | * #### Signatureconfiguration #### 79 | * ##### Default ##### 80 | * ###### Settings ###### 81 | * action: block 82 | * friendlyName: SCRT cdpsgshims.dll created to disk 83 | * ###### Tactic_Id ###### 84 | * 0: TA0004 85 | * ###### Technique_Id ###### 86 | * 0: T1574.001 87 | * biocRuleName: SCRT cdpsgshims.dll created to disk 88 | * biocId: 503 89 | * additionalData: {} 90 | * rule_data: (deftemplate file_operation_503 (slot cid)) (defrule file_operation_503 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_open*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq (lowcase ?file_name) "cdpsgshims.dll")))) (not (file_operation_503 (cid ?cid))) => (assert (file_operation_503 (cid ?cid)))) 91 | * btp_rule_name: file_operation_503 92 | * is_preventable: 1 93 | * supported_os: 7 94 | * btp_validation_error: None 95 | * xql: None 96 | * is_xql: False 97 | * query_tables: None 98 | * rule_id: 502 99 | * global_rule_id: NO_ID 100 | * mssp_global_rule_id: None 101 | * insert_time: 1638350268266 102 | * modify_time: 1638353935456 103 | * severity: SEV_040_HIGH 104 | * source: frank.bussink@scrt.ch 105 | * comment: Created by F. Bussink SCRT 106 | * status: ENABLED 107 | * category: EXECUTION 108 | * ## Indicator ## 109 | * runOnCGO: True 110 | * investigationType: PROCESS_EXECUTION_EVENT 111 | * ### Investigation ### 112 | * #### Process_Execution_Event #### 113 | * ##### Filter ##### 114 | * ###### And ###### 115 | * SEARCH_FIELD: agent_os_type 116 | * SEARCH_TYPE: NEQ 117 | * SEARCH_VALUE: 4 118 | * ###### Extra_Fields ###### 119 | * isExtended: False 120 | * node: xdr_agent 121 | * SEARCH_FIELD: action_process_signature_status 122 | * SEARCH_TYPE: COMPLEX_EQ 123 | * SEARCH_VALUE: {"COLLECTION_TYPE": "SIGNATURE_STATUS", "COLLECTION_VALUE": "SIGNATURE_SIGNED"} 124 | * ###### Extra_Fields ###### 125 | * isExtended: False 126 | * SEARCH_FIELD: action_process_signature_vendor 127 | * SEARCH_TYPE: REGEX 128 | * SEARCH_VALUE: Jetico.* 129 | * ###### Extra_Fields ###### 130 | * isExtended: False 131 | * indicator_md5: ca1b0c73d6ed6af725f54b8f6165913f 132 | * indicator_text: Process action type = execution AND process execution signature = Signed AND process execution signer =~ Jetico.* Host host os != linux 133 | * name: SCRT JETICO Signed binary 134 | * mitre_technique_id_and_name: 135 | * mitre_tactic_id_and_name: 136 | * mitre_tactic_id: 137 | * mitre_technique_id: 138 | * ## Btp_Rule ## 139 | * ### Agent_Os_Windows ### 140 | * #### Signatureconfiguration #### 141 | * ##### Default ##### 142 | * ###### Settings ###### 143 | * action: block 144 | * friendlyName: SCRT JETICO Signed binary 145 | * ###### Tactic_Id ###### 146 | * ###### Technique_Id ###### 147 | * biocRuleName: SCRT JETICO Signed binary 148 | * biocId: 502 149 | * additionalData: {} 150 | * rule_data: (deftemplate process_start_502 (slot cid)) (defrule process_start_502 (process_start (is_sign ?is_sign) (cid ?cid) (signer_name ?signer_name &: (and (eq ?is_sign ?*signature_state_signed*) (regex (lowcase ?signer_name) "jetico.*" 0)))) (not (process_start_502 (cid ?cid))) => (assert (process_start_502 (cid ?cid)))) 151 | * btp_rule_name: process_start_502 152 | * is_preventable: 1 153 | * supported_os: 1 154 | * btp_validation_error: WINDOWS_SUPPORT_ONLY 155 | * xql: None 156 | * is_xql: False 157 | * query_tables: None 158 | * rule_id: 393 159 | * global_rule_id: NO_ID 160 | * mssp_global_rule_id: None 161 | * insert_time: 1684854242506 162 | * modify_time: 1684854242506 163 | * severity: SEV_040_HIGH 164 | * source: frank.bussink@e-xpertsolutions.com 165 | * comment: This is trigguered when a TGS has been request for the canary account (in attempt to bruteforce the password) 166 | * status: ENABLED 167 | * category: CREDENTIAL_ACCESS 168 | * indicator: None 169 | * indicator_md5: 8b554c9ad93cfd962b8cfa237fc99914 170 | * indicator_text: dataset = xdr_data // Using the xdr dataset 171 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4769 172 | | alter ServiceName = json_extract(action_evtlog_data_fields,"$.ServiceName") 173 | | alter ServiceName = trim(ServiceName,"\"") 174 | | alter TicketEncryptionType = json_extract(action_evtlog_data_fields,"$.TicketEncryptionType") 175 | | alter TicketOptions= json_extract(action_evtlog_data_fields,"$.TicketOptions") 176 | | alter TargetUserName= json_extract(action_evtlog_data_fields,"$.TargetUserName") 177 | | alter IpAddress= json_extract(action_evtlog_data_fields,"$.IpAddress") 178 | | alter TicketEncryptionTypeName = "" 179 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x1", "DES-CBC-CRC", TicketEncryptionTypeName) 180 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x3", "DES-CBC-MD5", TicketEncryptionTypeName ) 181 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x11", "AES128-CTS-HMAC-SHA1-96", TicketEncryptionTypeName) 182 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x12", "AES256-CTS-HMAC-SHA1-96", TicketEncryptionTypeName) 183 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x17", "RC4-HMAC", TicketEncryptionTypeName) 184 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x18", "RC4-HMAC-EXP", TicketEncryptionTypeName) 185 | | alter TicketOptionsName = "" 186 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x40810010", "Forwardable, Renewable, Canonicalize, Renewable-ok", TicketOptionsName) 187 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x40810000", "Forwardable, Renewable, Canonicalize", TicketOptionsName) 188 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x60810010", "Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok", TicketOptionsName) 189 | | filter (ServiceName = "sqlsvc") 190 | * name: BIOC-Kerberoasting Canary account 191 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 192 | * mitre_tactic_id_and_name: TA0006 - Credential Access 193 | * mitre_tactic_id: TA0006 194 | * mitre_technique_id: T1003 195 | * btp_rule: None 196 | * btp_rule_name: None 197 | * is_preventable: 0 198 | * supported_os: None 199 | * btp_validation_error: None 200 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"AND": [{"LEFT": "$event_type", "OPERATOR": "EQ", "RIGHT": "$ENUM.EVENT_LOG", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$action_evtlog_event_id", "OPERATOR": "EQ", "RIGHT": 4769, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"ADD_FIELDS": {"fields": [{"name": "ServiceName", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.ServiceName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "ServiceName", "source": {"function": "string_trim", "parameters": ["$ServiceName", "\""]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionType", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TicketEncryptionType"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptions", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TicketOptions"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TargetUserName", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.TargetUserName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "IpAddress", "source": {"function": "json_extract", "parameters": ["$action_evtlog_data_fields", "$.IpAddress"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": ""}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x1", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "DES-CBC-CRC"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x3", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "DES-CBC-MD5"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x11", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "AES128-CTS-HMAC-SHA1-96"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x12", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "AES256-CTS-HMAC-SHA1-96"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x17", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "RC4-HMAC"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketEncryptionTypeName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketEncryptionType", "OPERATOR": "CONTAINS", "RIGHT": "0x18", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "RC4-HMAC-EXP"]], "$TicketEncryptionTypeName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": ""}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x40810010", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Renewable, Canonicalize, Renewable-ok"]], "$TicketOptionsName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x40810000", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Renewable, Canonicalize"]], "$TicketOptionsName"]}}]}}, {"ADD_FIELDS": {"fields": [{"name": "TicketOptionsName", "source": {"function": "switch_case", "parameters": [[[{"filter": {"OR": [{"LEFT": "$TicketOptions", "OPERATOR": "CONTAINS", "RIGHT": "0x60810010", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}, "Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok"]], "$TicketOptionsName"]}}]}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$ServiceName", "OPERATOR": "EQ", "RIGHT": "sqlsvc", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 201 | * is_xql: True 202 | * query_tables: ["xdr_data"] 203 | * rule_indicator_last_modified_ts: 1684854242506 204 | * rule_id: 388 205 | * global_rule_id: NO_ID 206 | * mssp_global_rule_id: None 207 | * insert_time: 1683118061196 208 | * modify_time: 1694168591898 209 | * severity: SEV_040_HIGH 210 | * source: frank.bussink@e-xpertsolutions.com 211 | * comment: SCRT BIOC to detect MS-EFSR RPC calls 212 | * status: ENABLED 213 | * category: CREDENTIAL_ACCESS 214 | * indicator: None 215 | * indicator_md5: f6473e3c9013984ff967251d17884890 216 | * indicator_text: dataset = xdr_data 217 | | filter EVENT_TYPE = RPC_CALL 218 | | filter event_rpc_interface_uuid = "{C681D488-D850-11D0-8C52-00C04FD90F7E}" 219 | | filter ((action_rpc_func_opnum = 0) or (action_rpc_func_opnum = 4) or (action_rpc_func_opnum = 5) or (action_rpc_func_opnum = 6) or (action_rpc_func_opnum = 7) or (action_rpc_func_opnum = 8) or (action_rpc_func_opnum = 9) or (action_rpc_func_opnum = 12) or (action_rpc_func_opnum = 13) or(action_rpc_func_opnum = 15)) 220 | * name: BIOC-PetitPotam-Authentication-Coercer 221 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 222 | * mitre_tactic_id_and_name: TA0006 - Credential Access 223 | * mitre_tactic_id: TA0006 224 | * mitre_technique_id: T1003 225 | * btp_rule: None 226 | * btp_rule_name: None 227 | * is_preventable: 0 228 | * supported_os: 0 229 | * btp_validation_error: UNSUPPORTED_XQL 230 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$EVENT_TYPE", "OPERATOR": "EQ", "RIGHT": "$RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{C681D488-D850-11D0-8C52-00C04FD90F7E}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 0, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 4, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 5, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 6, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 7, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 8, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 9, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 12, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 13, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 15, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 231 | * is_xql: True 232 | * query_tables: ["xdr_data"] 233 | * rule_indicator_last_modified_ts: 1694168591976 234 | * status_changed_by: None 235 | * status_changed_at: None 236 | * last_status_change_reason: None 237 | * rule_id: 397 238 | * global_rule_id: NO_ID 239 | * mssp_global_rule_id: None 240 | * insert_time: 1694169318013 241 | * modify_time: 1694169318013 242 | * severity: SEV_040_HIGH 243 | * source: frank.bussink@e-xpertsolutions.com 244 | * comment: E-XpertSolutions BIOC to detect Coerce project 245 | * status: ENABLED 246 | * category: CREDENTIAL_ACCESS 247 | * indicator: None 248 | * indicator_md5: 584883bf13f35adb2d803c0525401140 249 | * indicator_text: dataset = xdr_data 250 | | filter EVENT_TYPE = RPC_CALL 251 | | filter event_rpc_interface_uuid = "{82273FDC-E32A-18C3-3F78-827929DC23EA}" 252 | | filter (action_rpc_func_opnum = 9) 253 | * name: BIOC-PetitPotam-EventLog-ElfrOpenBELW 254 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 255 | * mitre_tactic_id_and_name: TA0006 - Credential Access 256 | * mitre_tactic_id: TA0006 257 | * mitre_technique_id: T1003 258 | * btp_rule: None 259 | * btp_rule_name: None 260 | * is_preventable: 0 261 | * supported_os: None 262 | * btp_validation_error: None 263 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$EVENT_TYPE", "OPERATOR": "EQ", "RIGHT": "$RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{82273FDC-E32A-18C3-3F78-827929DC23EA}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 9, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 264 | * is_xql: True 265 | * query_tables: ["xdr_data"] 266 | * rule_indicator_last_modified_ts: 1694169318013 267 | * status_changed_by: None 268 | * status_changed_at: None 269 | * last_status_change_reason: None 270 | * rule_id: 537 271 | * global_rule_id: NO_ID 272 | * mssp_global_rule_id: None 273 | * insert_time: 1658410759398 274 | * modify_time: 1658410759398 275 | * severity: SEV_020_LOW 276 | * source: frank.bussink@scrt.ch 277 | * comment: SCRT rule to detect Authentication Coerce PetitPotam on MS-DFSNM Op 12 or Op 13 278 | * status: ENABLED 279 | * category: CREDENTIAL_ACCESS 280 | * indicator: None 281 | * indicator_md5: a8d61ecc099487a2152fe07ca680bf06 282 | * indicator_text: dataset = xdr_data 283 | | filter event_type = ENUM.RPC_CALL 284 | | filter (event_rpc_interface_uuid = "{4FC742E0-4A10-11CF-8273-00AA004AE673}" ) 285 | | filter ((event_rpc_func_opnum = 12) or (event_rpc_func_opnum = 13)) 286 | 287 | * name: SCRT_PetitPotam_MS_DFSNM_Authentication_Coerce 288 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 289 | * mitre_tactic_id_and_name: TA0006 - Credential Access 290 | * mitre_tactic_id: TA0006 291 | * mitre_technique_id: T1003 292 | * btp_rule: None 293 | * btp_rule_name: None 294 | * is_preventable: 0 295 | * supported_os: None 296 | * btp_validation_error: None 297 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$event_type", "OPERATOR": "EQ", "RIGHT": "$ENUM.RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{4FC742E0-4A10-11CF-8273-00AA004AE673}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 12, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$event_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 13, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 298 | * is_xql: True 299 | * query_tables: ["xdr_data"] 300 | * rule_indicator_last_modified_ts: 1658410759398 301 | * rule_id: 535 302 | * global_rule_id: NO_ID 303 | * mssp_global_rule_id: None 304 | * insert_time: 1658397007681 305 | * modify_time: 1658410787888 306 | * severity: SEV_020_LOW 307 | * source: frank.bussink@scrt.ch 308 | * comment: SCRT BIOC to detect MS-RPRN RpcRemoteFindFirstPrinterChangeNotificationEx 309 | * status: ENABLED 310 | * category: CREDENTIAL_ACCESS 311 | * indicator: None 312 | * indicator_md5: 2b19fe216d6e1efff594f0453f07dc67 313 | * indicator_text: dataset = xdr_data 314 | | filter EVENT_TYPE = RPC_CALL 315 | | filter event_rpc_interface_uuid = "{12345678-1234-ABCD-EF00-0123456789AB}" 316 | | filter ((action_rpc_func_opnum = 65) ) 317 | * name: SCRT-PetitPotam-Spoolss-Authentication-Coercer 318 | * mitre_technique_id_and_name: 319 | * mitre_tactic_id_and_name: 320 | * mitre_tactic_id: 321 | * mitre_technique_id: 322 | * btp_rule: None 323 | * btp_rule_name: None 324 | * is_preventable: 0 325 | * supported_os: 0 326 | * btp_validation_error: UNSUPPORTED_XQL 327 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$EVENT_TYPE", "OPERATOR": "EQ", "RIGHT": "$RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{12345678-1234-ABCD-EF00-0123456789AB}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 65, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 328 | * is_xql: True 329 | * query_tables: ["xdr_data"] 330 | * rule_indicator_last_modified_ts: 1658404769097 331 | -------------------------------------------------------------------------------- /BIOC-RBCD_Attack.bioc: -------------------------------------------------------------------------------- 1 | 86cb8d4bb5348a333fc869c9d7baa259 2 | [{"rule_id":395,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1643316022296,"modify_time":1643316022296,"severity":"SEV_030_MEDIUM","source":"frank.bussink@scrt.ch","comment":"Possible RBCD Attack. A computer account creates another Computer account.\nhttps:\/\/www.bussink.net\/rbcd-webclient-attack\/","status":"ENABLED","category":"PRIVILEGE_ESCALATION","indicator":null,"indicator_md5":"a446f0072748b2bb6dadc13136560211","indicator_text":"dataset = xdr_data \r\n| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4741\r\n| filter action_evtlog_message ~= \".*A computer account was created.*\"\r\n| alter AccountName = arrayindex(regextract(action_evtlog_message, \".*Account Name:.*?(\\w.*)\\r\\n\"),0)\r\n| filter AccountName ~= \".*\\$.*\"","name":"SCRT-RBCD-Attack","mitre_technique_id_and_name":"","mitre_tactic_id_and_name":"","mitre_tactic_id":"","mitre_technique_id":"","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":null,"btp_validation_error":null,"xql":"{\"tables\": [\"xdr_data\"], \"stages\": [{\"FILTER\": {\"filter\": {\"AND\": [{\"LEFT\": \"$event_type\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"$ENUM.EVENT_LOG\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}, {\"LEFT\": \"$action_evtlog_event_id\", \"OPERATOR\": \"EQ\", \"RIGHT\": 4741, \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$action_evtlog_message\", \"OPERATOR\": \"REGEX\", \"RIGHT\": \".*A computer account was created.*\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"ADD_FIELDS\": {\"fields\": [{\"name\": \"AccountName\", \"source\": {\"function\": \"array_item\", \"parameters\": [{\"function\": \"regexp_extract_all\", \"parameters\": [\"$action_evtlog_message\", \".*Account Name:.*?(\\\\w.*)\\\\r\\\\n\"]}, 0]}}]}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$AccountName\", \"OPERATOR\": \"REGEX\", \"RIGHT\": \".*\\\\$.*\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}]}","is_xql":true,"query_tables":"[\"xdr_data\"]"}] 3 | -------------------------------------------------------------------------------- /BIOC-Rdrleakdiag-lolbas.bioc: -------------------------------------------------------------------------------- 1 | 6ab91b8c1366275859c051cddb3b16df 2 | [{"rule_id":395,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1687879280170,"modify_time":1687879288067,"severity":"SEV_030_MEDIUM","source":"frank.bussink@e-xpertsolutions.com","comment":"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Rdrleakdiag\/\nNo known legit usage","status":"ENABLED","category":"CREDENTIAL_ACCESS","indicator":{"runOnCGO":true,"investigationType":"PROCESS_EXECUTION_EVENT","investigation":{"PROCESS_EXECUTION_EVENT":{"filter":{"AND":[{"SEARCH_FIELD":"action_process_image_name","SEARCH_TYPE":"REGEX","SEARCH_VALUE":"rdrleakdiag","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"},{"SEARCH_FIELD":"action_process_image_command_line","SEARCH_TYPE":"REGEX","SEARCH_VALUE":".*rdrleakdiag.*\\\/fullmemdmp.*","EXTRA_FIELDS":[],"isExtended":false}]}}}},"indicator_md5":"7a67171bb15f69cb9e42881b5e49c089","indicator_text":"Process action type = execution AND target process cmd =~ .*rdrleakdiag.*\\\/fullmemdmp.* AND target process name =~ rdrleakdiag","name":"BIOC-Rdrleakdiag-lolbas-command","mitre_technique_id_and_name":"T1003.001 - OS Credential Dumping: LSASS Memory","mitre_tactic_id_and_name":"TA0006 - Credential Access","mitre_tactic_id":"TA0006","mitre_technique_id":"T1003.001","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"BIOC-Rdrleakdiag-lolbas-command","tactic_id":["TA0006"],"technique_id":["T1003.001"],"biocRuleName":"BIOC-Rdrleakdiag-lolbas-command","biocId":395,"additionalData":"{}"}}},"rule_data":"(deftemplate process_start_395 (slot cid)) (defrule process_start_395 (process_start (process_image_name ?process_image_name) (cid ?cid) (command_line ?command_line &: (and (regex ?process_image_name \"rdrleakdiag\" 0) (regex ?command_line \".*rdrleakdiag.*\\\\\/fullmemdmp.*\" 0)))) (not (process_start_395 (cid ?cid))) => (assert (process_start_395 (cid ?cid))))"},"AGENT_OS_MAC":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"BIOC-Rdrleakdiag-lolbas-command","tactic_id":["TA0006"],"technique_id":["T1003.001"],"biocRuleName":"BIOC-Rdrleakdiag-lolbas-command","biocId":395,"additionalData":"{}"}}},"rule_data":"(deftemplate process_start_395 (slot cid)) (defrule process_start_395 (process_start (process_image_name ?process_image_name) (cid ?cid) (command_line ?command_line &: (and (regex ?process_image_name \"rdrleakdiag\" 0) (regex ?command_line \".*rdrleakdiag.*\\\\\/fullmemdmp.*\" 0)))) (not (process_start_395 (cid ?cid))) => (assert (process_start_395 (cid ?cid))))"},"AGENT_OS_LINUX":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"BIOC-Rdrleakdiag-lolbas-command","tactic_id":["TA0006"],"technique_id":["T1003.001"],"biocRuleName":"BIOC-Rdrleakdiag-lolbas-command","biocId":395,"additionalData":"{}"}}},"rule_data":"(deftemplate process_start_395 (slot cid)) (defrule process_start_395 (process_start (process_image_name ?process_image_name) (cid ?cid) (command_line ?command_line &: (and (regex (lowcase ?process_image_name) \"rdrleakdiag\" 0) (regex (lowcase ?command_line) \".*rdrleakdiag.*\\\\\/fullmemdmp.*\" 0)))) (not (process_start_395 (cid ?cid))) => (assert (process_start_395 (cid ?cid))))"}},"btp_rule_name":"process_start_395","is_preventable":1,"supported_os":7,"btp_validation_error":null,"xql":null,"is_xql":false,"query_tables":null,"rule_indicator_last_modified_ts":1687879280170,"status_changed_by":null,"status_changed_at":null,"last_status_change_reason":null}] -------------------------------------------------------------------------------- /BIOC-Rdrleakdiag-lolbas.md: -------------------------------------------------------------------------------- 1 | * rule_id: 395 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1687879280170 5 | * modify_time: 1687879288067 6 | * severity: SEV_030_MEDIUM 7 | * source: frank.bussink@e-xpertsolutions.com 8 | * comment: https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/ 9 | No known legit usage 10 | * status: ENABLED 11 | * category: CREDENTIAL_ACCESS 12 | * ## Indicator ## 13 | * runOnCGO: True 14 | * investigationType: PROCESS_EXECUTION_EVENT 15 | * ### Investigation ### 16 | * #### Process_Execution_Event #### 17 | * ##### Filter ##### 18 | * ###### And ###### 19 | * SEARCH_FIELD: action_process_image_name 20 | * SEARCH_TYPE: REGEX 21 | * SEARCH_VALUE: rdrleakdiag 22 | * ###### Extra_Fields ###### 23 | * isExtended: False 24 | * node: attributes 25 | * SEARCH_FIELD: action_process_image_command_line 26 | * SEARCH_TYPE: REGEX 27 | * SEARCH_VALUE: .*rdrleakdiag.*\/fullmemdmp.* 28 | * ###### Extra_Fields ###### 29 | * isExtended: False 30 | * indicator_md5: 7a67171bb15f69cb9e42881b5e49c089 31 | * indicator_text: Process action type = execution AND target process cmd =~ .*rdrleakdiag.*\/fullmemdmp.* AND target process name =~ rdrleakdiag 32 | * name: BIOC-Rdrleakdiag-lolbas-command 33 | * mitre_technique_id_and_name: T1003.001 - OS Credential Dumping: LSASS Memory 34 | * mitre_tactic_id_and_name: TA0006 - Credential Access 35 | * mitre_tactic_id: TA0006 36 | * mitre_technique_id: T1003.001 37 | * ## Btp_Rule ## 38 | * ### Agent_Os_Windows ### 39 | * #### Signatureconfiguration #### 40 | * ##### Default ##### 41 | * ###### Settings ###### 42 | * action: block 43 | * friendlyName: BIOC-Rdrleakdiag-lolbas-command 44 | * ###### Tactic_Id ###### 45 | * 0: TA0006 46 | * ###### Technique_Id ###### 47 | * 0: T1003.001 48 | * biocRuleName: BIOC-Rdrleakdiag-lolbas-command 49 | * biocId: 395 50 | * additionalData: {} 51 | * rule_data: (deftemplate process_start_395 (slot cid)) (defrule process_start_395 (process_start (process_image_name ?process_image_name) (cid ?cid) (command_line ?command_line &: (and (regex ?process_image_name "rdrleakdiag" 0) (regex ?command_line ".*rdrleakdiag.*\\/fullmemdmp.*" 0)))) (not (process_start_395 (cid ?cid))) => (assert (process_start_395 (cid ?cid)))) 52 | * ### Agent_Os_Mac ### 53 | * #### Signatureconfiguration #### 54 | * ##### Default ##### 55 | * ###### Settings ###### 56 | * action: block 57 | * friendlyName: BIOC-Rdrleakdiag-lolbas-command 58 | * ###### Tactic_Id ###### 59 | * 0: TA0006 60 | * ###### Technique_Id ###### 61 | * 0: T1003.001 62 | * biocRuleName: BIOC-Rdrleakdiag-lolbas-command 63 | * biocId: 395 64 | * additionalData: {} 65 | * rule_data: (deftemplate process_start_395 (slot cid)) (defrule process_start_395 (process_start (process_image_name ?process_image_name) (cid ?cid) (command_line ?command_line &: (and (regex ?process_image_name "rdrleakdiag" 0) (regex ?command_line ".*rdrleakdiag.*\\/fullmemdmp.*" 0)))) (not (process_start_395 (cid ?cid))) => (assert (process_start_395 (cid ?cid)))) 66 | * ### Agent_Os_Linux ### 67 | * #### Signatureconfiguration #### 68 | * ##### Default ##### 69 | * ###### Settings ###### 70 | * action: block 71 | * friendlyName: BIOC-Rdrleakdiag-lolbas-command 72 | * ###### Tactic_Id ###### 73 | * 0: TA0006 74 | * ###### Technique_Id ###### 75 | * 0: T1003.001 76 | * biocRuleName: BIOC-Rdrleakdiag-lolbas-command 77 | * biocId: 395 78 | * additionalData: {} 79 | * rule_data: (deftemplate process_start_395 (slot cid)) (defrule process_start_395 (process_start (process_image_name ?process_image_name) (cid ?cid) (command_line ?command_line &: (and (regex (lowcase ?process_image_name) "rdrleakdiag" 0) (regex (lowcase ?command_line) ".*rdrleakdiag.*\\/fullmemdmp.*" 0)))) (not (process_start_395 (cid ?cid))) => (assert (process_start_395 (cid ?cid)))) 80 | * btp_rule_name: process_start_395 81 | * is_preventable: 1 82 | * supported_os: 7 83 | * btp_validation_error: None 84 | * xql: None 85 | * is_xql: False 86 | * query_tables: None 87 | * rule_indicator_last_modified_ts: 1687879280170 88 | * status_changed_by: None 89 | * status_changed_at: None 90 | * last_status_change_reason: None 91 | -------------------------------------------------------------------------------- /BIOC-SCRT-Mr-D0x-XDR-Disable-chg-registry-value.bioc: -------------------------------------------------------------------------------- 1 | 1acee50b1a695f3f38e17f3696b8aa47 2 | [{"rule_id":520,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1650371481298,"modify_time":1650371613163,"severity":"SEV_030_MEDIUM","source":"frank.bussink@scrt.ch","comment":"SCRT switzerland - k4nfr3 - 19\/04\/2022\nFollowing Mr D0x research : https:\/\/mrd0x.com\/cortex-xdr-analysis-and-bypass\/\nit requires privilege and a reboot.\nThis is until PAN will provide real signature","status":"ENABLED","category":"EVASION","indicator":{"runOnCGO":true,"investigationType":"REGISTRY_EVENT","investigation":{"REGISTRY_EVENT":{"filter":{"AND":[{"SEARCH_FIELD":"agent_os_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":1,"EXTRA_FIELDS":[],"isExtended":false,"node":"xdr_agent"},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"4","isExtended":false},{"SEARCH_FIELD":"action_registry_value_name","SEARCH_TYPE":"EQ","SEARCH_VALUE":"ServiceDll","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"},{"SEARCH_FIELD":"action_registry_data","SEARCH_TYPE":"REGEX_NOT","SEARCH_VALUE":"cryptsvc.dll","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"},{"SEARCH_FIELD":"action_registry_key_name","SEARCH_TYPE":"REGEX","SEARCH_VALUE":"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet\\d\\d\\d\\\\Services\\\\CryptSvc\\\\Parameters","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"}]}}}},"indicator_md5":"0186f58365c1a1c03da6e6ec2d052093","indicator_text":"Registry registry data !=~ cryptsvc.dll AND registry key name =~ HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet\\d\\d\\d\\\\Services\\\\CryptSvc\\\\Parameters AND registry value name = ServiceDll AND action type = set_registry_value Host host os = windows","name":"SCRT-Mr-D0x-XDR-Disable-chg-registry-value","mitre_technique_id_and_name":"T1562.001 - Impair Defenses: Disable or Modify Tools","mitre_tactic_id_and_name":"","mitre_tactic_id":"","mitre_technique_id":"T1562.001","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"SCRT-Mr-D0x-XDR-Disable-chg-registry-value","tactic_id":[],"technique_id":["T1562.001"],"biocRuleName":"SCRT-Mr-D0x-XDR-Disable-chg-registry-value","biocId":520,"additionalData":"{}"}}},"rule_data":"(deftemplate registry_operation_520 (slot cid)) (defrule registry_operation_520 (registry_operation (hive ?hive) (sub_type ?sub_type) (key_name ?key_name) (value ?value) (cid ?cid) (value_name ?value_name &: (and (eq ?sub_type ?*reg_set_value*) (eq ?value_name \"servicedll\") (not (regex ?value \"cryptsvc.dll\" 0)) (and (regex ?key_name \"\\\\system\\\\\\\\controlset\\\\d\\\\d\\\\d\\\\\\\\services\\\\\\\\cryptsvc\\\\\\\\parameters\" 0) (eq ?hive ?*hklm*))))) (not (registry_operation_520 (cid ?cid))) => (assert (registry_operation_520 (cid ?cid))))"}},"btp_rule_name":"registry_operation_520","is_preventable":1,"supported_os":1,"btp_validation_error":"WINDOWS_SUPPORT_ONLY","xql":null,"is_xql":false,"query_tables":null}] 3 | -------------------------------------------------------------------------------- /BIOC-SprintCSP.dll.bioc: -------------------------------------------------------------------------------- 1 | 2c823e94e0f46facdbbc0042b90d6755 2 | [{"rule_id":387,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1683118009481,"modify_time":1683797390193,"severity":"SEV_030_MEDIUM","source":"frank.bussink@e-xpertsolutions.com","comment":"The StorSvc.dll!SvcRebootToFlashingMode RPC method, calls StorSvc.dll!InitResetPhone which also calls StorSvc.dll!ResetPhoneWorkerCallback, that tries to load SprintCSP.dll. As a result, the creation of this file may be indicative of Local Privilege escalation by DLL hijacking as the StorSvc process runs under NT AUTHORITY\\SYSTEM.","status":"ENABLED","category":"PRIVILEGE_ESCALATION","indicator":{"runOnCGO":false,"investigationType":"FILE_EVENT","investigation":{"FILE_EVENT":{"filter":{"AND":[{"OR":[{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"1","isExtended":false},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"3","isExtended":false},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"6","isExtended":false}]},{"SEARCH_FIELD":"action_file_name","SEARCH_TYPE":"EQ","SEARCH_VALUE":"SprintCSP.dll","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"}]}}}},"indicator_md5":"f8103c0bb88607a5d23e9c7d1d9adc30","indicator_text":"File action type = create, rename, write AND file name = SprintCSP.dll","name":"SprintCSP.dll created to disk (StorSvc LPE)","mitre_technique_id_and_name":"T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking","mitre_tactic_id_and_name":"TA0004 - Privilege Escalation","mitre_tactic_id":"TA0004","mitre_technique_id":"T1574.001","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"SprintCSP.dll created to disk (StorSvc LPE)","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"SprintCSP.dll created to disk (StorSvc LPE)","biocId":387,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_387 (slot cid)) (defrule file_operation_387 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name \"sprintcsp.dll\")))) (not (file_operation_387 (cid ?cid))) => (assert (file_operation_387 (cid ?cid))))"},"AGENT_OS_MAC":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"SprintCSP.dll created to disk (StorSvc LPE)","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"SprintCSP.dll created to disk (StorSvc LPE)","biocId":387,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_387 (slot cid)) (defrule file_operation_387 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name \"sprintcsp.dll\")))) (not (file_operation_387 (cid ?cid))) => (assert (file_operation_387 (cid ?cid))))"},"AGENT_OS_LINUX":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"SprintCSP.dll created to disk (StorSvc LPE)","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"SprintCSP.dll created to disk (StorSvc LPE)","biocId":387,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_387 (slot cid)) (defrule file_operation_387 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq (lowcase ?file_name) \"sprintcsp.dll\")))) (not (file_operation_387 (cid ?cid))) => (assert (file_operation_387 (cid ?cid))))"}},"btp_rule_name":"file_operation_387","is_preventable":1,"supported_os":7,"btp_validation_error":null,"xql":null,"is_xql":false,"query_tables":null,"rule_indicator_last_modified_ts":1683118009481}] 3 | -------------------------------------------------------------------------------- /BIOC-SprintCSP.dll.md: -------------------------------------------------------------------------------- 1 | * rule_id: 387 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1683118009481 5 | * modify_time: 1683797390193 6 | * severity: SEV_030_MEDIUM 7 | * source: frank.bussink@e-xpertsolutions.com 8 | * comment: The StorSvc.dll!SvcRebootToFlashingMode RPC method, calls StorSvc.dll!InitResetPhone which also calls StorSvc.dll!ResetPhoneWorkerCallback, that tries to load SprintCSP.dll. As a result, the creation of this file may be indicative of Local Privilege escalation by DLL hijacking as the StorSvc process runs under NT AUTHORITY\SYSTEM. 9 | * status: ENABLED 10 | * category: PRIVILEGE_ESCALATION 11 | * ## Indicator ## 12 | * runOnCGO: False 13 | * investigationType: FILE_EVENT 14 | * ### Investigation ### 15 | * #### File_Event #### 16 | * ##### Filter ##### 17 | * ###### And ###### 18 | * ###### Or ###### 19 | * SEARCH_FIELD: event_sub_type 20 | * SEARCH_TYPE: EQ 21 | * SEARCH_VALUE: 1 22 | * isExtended: False 23 | * SEARCH_FIELD: event_sub_type 24 | * SEARCH_TYPE: EQ 25 | * SEARCH_VALUE: 3 26 | * isExtended: False 27 | * SEARCH_FIELD: event_sub_type 28 | * SEARCH_TYPE: EQ 29 | * SEARCH_VALUE: 6 30 | * isExtended: False 31 | * SEARCH_FIELD: action_file_name 32 | * SEARCH_TYPE: EQ 33 | * SEARCH_VALUE: SprintCSP.dll 34 | * ###### Extra_Fields ###### 35 | * isExtended: False 36 | * node: attributes 37 | * indicator_md5: f8103c0bb88607a5d23e9c7d1d9adc30 38 | * indicator_text: File action type = create, rename, write AND file name = SprintCSP.dll 39 | * name: SprintCSP.dll created to disk (StorSvc LPE) 40 | * mitre_technique_id_and_name: T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking 41 | * mitre_tactic_id_and_name: TA0004 - Privilege Escalation 42 | * mitre_tactic_id: TA0004 43 | * mitre_technique_id: T1574.001 44 | * ## Btp_Rule ## 45 | * ### Agent_Os_Windows ### 46 | * #### Signatureconfiguration #### 47 | * ##### Default ##### 48 | * ###### Settings ###### 49 | * action: block 50 | * friendlyName: SprintCSP.dll created to disk (StorSvc LPE) 51 | * ###### Tactic_Id ###### 52 | * 0: TA0004 53 | * ###### Technique_Id ###### 54 | * 0: T1574.001 55 | * biocRuleName: SprintCSP.dll created to disk (StorSvc LPE) 56 | * biocId: 387 57 | * additionalData: {} 58 | * rule_data: (deftemplate file_operation_387 (slot cid)) (defrule file_operation_387 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "sprintcsp.dll")))) (not (file_operation_387 (cid ?cid))) => (assert (file_operation_387 (cid ?cid)))) 59 | * ### Agent_Os_Mac ### 60 | * #### Signatureconfiguration #### 61 | * ##### Default ##### 62 | * ###### Settings ###### 63 | * action: block 64 | * friendlyName: SprintCSP.dll created to disk (StorSvc LPE) 65 | * ###### Tactic_Id ###### 66 | * 0: TA0004 67 | * ###### Technique_Id ###### 68 | * 0: T1574.001 69 | * biocRuleName: SprintCSP.dll created to disk (StorSvc LPE) 70 | * biocId: 387 71 | * additionalData: {} 72 | * rule_data: (deftemplate file_operation_387 (slot cid)) (defrule file_operation_387 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "sprintcsp.dll")))) (not (file_operation_387 (cid ?cid))) => (assert (file_operation_387 (cid ?cid)))) 73 | * ### Agent_Os_Linux ### 74 | * #### Signatureconfiguration #### 75 | * ##### Default ##### 76 | * ###### Settings ###### 77 | * action: block 78 | * friendlyName: SprintCSP.dll created to disk (StorSvc LPE) 79 | * ###### Tactic_Id ###### 80 | * 0: TA0004 81 | * ###### Technique_Id ###### 82 | * 0: T1574.001 83 | * biocRuleName: SprintCSP.dll created to disk (StorSvc LPE) 84 | * biocId: 387 85 | * additionalData: {} 86 | * rule_data: (deftemplate file_operation_387 (slot cid)) (defrule file_operation_387 (file_operation (sub_type ?sub_type) (cid ?cid) (file_name ?file_name &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq (lowcase ?file_name) "sprintcsp.dll")))) (not (file_operation_387 (cid ?cid))) => (assert (file_operation_387 (cid ?cid)))) 87 | * btp_rule_name: file_operation_387 88 | * is_preventable: 1 89 | * supported_os: 7 90 | * btp_validation_error: None 91 | * xql: None 92 | * is_xql: False 93 | * query_tables: None 94 | * rule_indicator_last_modified_ts: 1683118009481 95 | -------------------------------------------------------------------------------- /BIOC-TTTracerinjection-into-LSASS.bioc: -------------------------------------------------------------------------------- 1 | 0bb4479fed43bf35426bff2024f88644 2 | [{"rule_id":392,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1684329642854,"modify_time":1684329724525,"severity":"SEV_040_HIGH","source":"frank.bussink@e-xpertsolutions.com","comment":"Tttracer is a Windows tool which can trace memory on any process. Here it was injected into LSASS, which is highly suspicious except in case of troubleshooting with Microsoft","status":"ENABLED","category":"CREDENTIAL_ACCESS","indicator":null,"indicator_md5":"794b6fd75a9fce80e01417d11131152f","indicator_text":"preset = xdr_injection \r\n| filter (action_remote_process_image_name = \"lsass.exe\") \r\n| filter (actor_process_image_name = \"ttdinject.exe\") ","name":"BIOC-TTTracer on LSASS","mitre_technique_id_and_name":"T1003.001 - OS Credential Dumping: LSASS Memory","mitre_tactic_id_and_name":"TA0006 - Credential Access","mitre_tactic_id":"TA0006","mitre_technique_id":"T1003.001","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":0,"btp_validation_error":"UNSUPPORTED_XQL","xql":"{\"presets\": [\"xdr_injection\"], \"stages\": [{\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$action_remote_process_image_name\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"lsass.exe\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$actor_process_image_name\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"ttdinject.exe\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}]}","is_xql":true,"query_tables":"[\"xdr_data\"]","rule_indicator_last_modified_ts":1684329642854}] -------------------------------------------------------------------------------- /BIOC-TTTracerinjection-into-LSASS.md: -------------------------------------------------------------------------------- 1 | * rule_id: 392 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1684329642854 5 | * modify_time: 1684329724525 6 | * severity: SEV_040_HIGH 7 | * source: frank.bussink@e-xpertsolutions.com 8 | * comment: Tttracer is a Windows tool which can trace memory on any process. Here it was injected into LSASS, which is highly suspicious except in case of troubleshooting with Microsoft 9 | * status: ENABLED 10 | * category: CREDENTIAL_ACCESS 11 | * indicator: None 12 | * indicator_md5: 794b6fd75a9fce80e01417d11131152f 13 | * indicator_text: preset = xdr_injection 14 | | filter (action_remote_process_image_name = "lsass.exe") 15 | | filter (actor_process_image_name = "ttdinject.exe") 16 | * name: BIOC-TTTracer on LSASS 17 | * mitre_technique_id_and_name: T1003.001 - OS Credential Dumping: LSASS Memory 18 | * mitre_tactic_id_and_name: TA0006 - Credential Access 19 | * mitre_tactic_id: TA0006 20 | * mitre_technique_id: T1003.001 21 | * btp_rule: None 22 | * btp_rule_name: None 23 | * is_preventable: 0 24 | * supported_os: 0 25 | * btp_validation_error: UNSUPPORTED_XQL 26 | * xql: {"presets": ["xdr_injection"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$action_remote_process_image_name", "OPERATOR": "EQ", "RIGHT": "lsass.exe", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$actor_process_image_name", "OPERATOR": "EQ", "RIGHT": "ttdinject.exe", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 27 | * is_xql: True 28 | * query_tables: ["xdr_data"] 29 | * rule_indicator_last_modified_ts: 1684329642854 30 | -------------------------------------------------------------------------------- /BIOC-add-User-to-LocalAdmin-Group: -------------------------------------------------------------------------------- 1 | # This requires XTH license 2 | dataset = xdr_data // Using the xdr dataset 3 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4732 4 | | alter TargetUserName = replace(json_extract(action_evtlog_data_fields, "$.TargetUserName"),"\"","") 5 | | alter TargetDomainName = replace(json_extract(action_evtlog_data_fields, "$.TargetDomainName"),"\"","") 6 | | alter SubjectDomainName = replace(json_extract(action_evtlog_data_fields, "$.SubjectDomainName"),"\"","") 7 | | alter SubjectUserName = replace(json_extract(action_evtlog_data_fields, "$.SubjectUserName"),"\"","") 8 | | filter TargetDomainName= "Builtin" 9 | | filter TargetUserName= "Administrators" or TargetUserName= "Administrateurs" 10 | -------------------------------------------------------------------------------- /BIOC-suspicious-command-line to Critical registry and NTDS file.bioc: -------------------------------------------------------------------------------- 1 | 56c1f256dea12cc53483aeb83e45da3a 2 | [{"rule_id":402,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1699031533674,"modify_time":1699031601221,"severity":"SEV_030_MEDIUM","source":"frank.bussink@swissexpertgroup.com","comment":"","status":"ENABLED","category":"CREDENTIAL_ACCESS","indicator":null,"indicator_md5":"11dc07e8da51f64c7d0581cc08c7d588","indicator_text":"dataset = xdr_data\r\n| filter event_type = ENUM.PROCESS \r\n| filter causality_actor_process_signature_vendor CONTAINS \"microsoft\" \/\/ Only keep cmd.exe or powershell etc...\r\n| alter cmd= action_process_image_command_line \/\/ use small length var name\r\n| filter cmd CONTAINS \"C:\\Windows\\NTDS\\ntds.dit\" or cmd CONTAINS \"C:\\Windows\\System32\\config\\SYSTEM\" or cmd CONTAINS \"C:\\Windows\\System32\\config\\SAM\"","name":"BIOC-suspicious-command-line to Critical registry and NTDS file","mitre_technique_id_and_name":"T1003 - OS Credential Dumping","mitre_tactic_id_and_name":"TA0006 - Credential Access","mitre_tactic_id":"TA0006","mitre_technique_id":"T1003","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":0,"btp_validation_error":"UNSUPPORTED_XQL","xql":"{\"stages\":[{\"FILTER\":{\"filter\":{\"OR\":[{\"LEFT\":\"$event_type\",\"OPERATOR\":\"EQ\",\"RIGHT\":\"$ENUM.PROCESS\",\"FILTER_DIALECT\":\"EXTENDED_FILTER_OBJ\"}]}}},{\"FILTER\":{\"filter\":{\"OR\":[{\"LEFT\":\"$causality_actor_process_signature_vendor\",\"OPERATOR\":\"CONTAINS\",\"RIGHT\":\"microsoft\",\"FILTER_DIALECT\":\"EXTENDED_FILTER_OBJ\"}]}}},{\"ADD_FIELDS\":{\"fields\":[{\"name\":\"cmd\",\"source\":\"$action_process_image_command_line\"}]}},{\"FILTER\":{\"filter\":{\"OR\":[{\"OR\":[{\"LEFT\":\"$cmd\",\"OPERATOR\":\"CONTAINS\",\"RIGHT\":\"C:\\\\Windows\\\\NTDS\\\\ntds.dit\",\"FILTER_DIALECT\":\"EXTENDED_FILTER_OBJ\"},{\"LEFT\":\"$cmd\",\"OPERATOR\":\"CONTAINS\",\"RIGHT\":\"C:\\\\Windows\\\\System32\\\\config\\\\SYSTEM\",\"FILTER_DIALECT\":\"EXTENDED_FILTER_OBJ\"}]},{\"LEFT\":\"$cmd\",\"OPERATOR\":\"CONTAINS\",\"RIGHT\":\"C:\\\\Windows\\\\System32\\\\config\\\\SAM\",\"FILTER_DIALECT\":\"EXTENDED_FILTER_OBJ\"}]}}}],\"original_query\":null,\"tables\":[\"xdr_data\"]}","is_xql":true,"query_tables":"[\"xdr_data\"]","rule_indicator_last_modified_ts":1699031533674,"status_changed_by":null,"status_changed_at":null,"last_status_change_reason":null}] -------------------------------------------------------------------------------- /BIOC-suspicious-command-line-.md: -------------------------------------------------------------------------------- 1 | * rule_id: 402 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1699031533674 5 | * modify_time: 1699031533674 6 | * severity: SEV_030_MEDIUM 7 | * source: frank.bussink@swissexpertgroup.com 8 | * comment: 9 | * status: ENABLED 10 | * category: CREDENTIAL_ACCESS 11 | * indicator: None 12 | * indicator_md5: 11dc07e8da51f64c7d0581cc08c7d588 13 | * indicator_text: dataset = xdr_data 14 | | filter event_type = ENUM.PROCESS 15 | | filter causality_actor_process_signature_vendor CONTAINS "microsoft" // Only keep cmd.exe or powershell etc... 16 | | alter cmd= action_process_image_command_line // use small length var name 17 | | filter cmd CONTAINS "C:\Windows\NTDS\ntds.dit" or cmd CONTAINS "C:\Windows\System32\config\SYSTEM" or cmd CONTAINS "C:\Windows\System32\config\SAM" 18 | * name: XQL-suspicious-command-line to Critical registry and NTDS file 19 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 20 | * mitre_tactic_id_and_name: TA0006 - Credential Access 21 | * mitre_tactic_id: TA0006 22 | * mitre_technique_id: T1003 23 | * btp_rule: None 24 | * btp_rule_name: None 25 | * is_preventable: 0 26 | * supported_os: None 27 | * btp_validation_error: None 28 | * xql: {"stages":[{"FILTER":{"filter":{"OR":[{"LEFT":"$event_type","OPERATOR":"EQ","RIGHT":"$ENUM.PROCESS","FILTER_DIALECT":"EXTENDED_FILTER_OBJ"}]}}},{"FILTER":{"filter":{"OR":[{"LEFT":"$causality_actor_process_signature_vendor","OPERATOR":"CONTAINS","RIGHT":"microsoft","FILTER_DIALECT":"EXTENDED_FILTER_OBJ"}]}}},{"ADD_FIELDS":{"fields":[{"name":"cmd","source":"$action_process_image_command_line"}]}},{"FILTER":{"filter":{"OR":[{"OR":[{"LEFT":"$cmd","OPERATOR":"CONTAINS","RIGHT":"C:\\Windows\\NTDS\\ntds.dit","FILTER_DIALECT":"EXTENDED_FILTER_OBJ"},{"LEFT":"$cmd","OPERATOR":"CONTAINS","RIGHT":"C:\\Windows\\System32\\config\\SYSTEM","FILTER_DIALECT":"EXTENDED_FILTER_OBJ"}]},{"LEFT":"$cmd","OPERATOR":"CONTAINS","RIGHT":"C:\\Windows\\System32\\config\\SAM","FILTER_DIALECT":"EXTENDED_FILTER_OBJ"}]}}}],"original_query":null,"tables":["xdr_data"]} 29 | * is_xql: True 30 | * query_tables: ["xdr_data"] 31 | * rule_indicator_last_modified_ts: 1699031533674 32 | * status_changed_by: None 33 | * status_changed_at: None 34 | * last_status_change_reason: None 35 | -------------------------------------------------------------------------------- /BIOC-wlanapi.dll_LPE.bioc: -------------------------------------------------------------------------------- 1 | 2a3ec558650575d8d6d44a3b7325924c 2 | [{"rule_id":396,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1689000053662,"modify_time":1689000053662,"severity":"SEV_030_MEDIUM","source":"frank.bussink@e-xpertsolutions.com","comment":"Netman service has a reference to wlanapi.dll. This can lead to LPE on 2008R2 and 2019 Servcer. As a result, the creation of this file may be indicative of Local Privilege escalation by DLL hijacking as the svchost process runs under NT AUTHORITY\\SYSTEM. More info here : https:\/\/itm4n.github.io\/windows-server-netman-dll-hijacking\/","status":"ENABLED","category":"PRIVILEGE_ESCALATION","indicator":{"runOnCGO":false,"investigationType":"FILE_EVENT","investigation":{"FILE_EVENT":{"filter":{"AND":[{"OR":[{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"1","isExtended":false},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"3","isExtended":false},{"SEARCH_FIELD":"event_sub_type","SEARCH_TYPE":"EQ","SEARCH_VALUE":"6","isExtended":false}]},{"SEARCH_FIELD":"action_file_name","SEARCH_TYPE":"EQ","SEARCH_VALUE":"wlanapi.dll","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"},{"SEARCH_FIELD":"action_file_previous_file_path","SEARCH_TYPE":"REGEX_NOT","SEARCH_VALUE":"C:\\\\Windows\\\\.*","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"}]}}}},"indicator_md5":"6947ad0f538332d518b71e8e83821d8e","indicator_text":"File action type = create, rename, write AND file name = wlanapi.dll AND file previous path !=~ C:\\\\Windows\\\\.*","name":"BIOC-wlanapi.dll created to disk (Netman LPE)","mitre_technique_id_and_name":"T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking","mitre_tactic_id_and_name":"TA0004 - Privilege Escalation","mitre_tactic_id":"TA0004","mitre_technique_id":"T1574.001","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"BIOC-wlanapi.dll created to disk (Netman LPE)","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"BIOC-wlanapi.dll created to disk (Netman LPE)","biocId":396,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_396 (slot cid)) (defrule file_operation_396 (file_operation (file_name ?file_name) (sub_type ?sub_type) (cid ?cid) (old_file_path ?old_file_path &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name \"wlanapi.dll\") (not (regex ?old_file_path \"c:\\\\\\\\windows\\\\\\\\.*\" 0))))) (not (file_operation_396 (cid ?cid))) => (assert (file_operation_396 (cid ?cid))))"},"AGENT_OS_MAC":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"BIOC-wlanapi.dll created to disk (Netman LPE)","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"BIOC-wlanapi.dll created to disk (Netman LPE)","biocId":396,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_396 (slot cid)) (defrule file_operation_396 (file_operation (file_name ?file_name) (sub_type ?sub_type) (cid ?cid) (old_file_path ?old_file_path &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name \"wlanapi.dll\") (not (regex ?old_file_path \"c:\\\\\\\\windows\\\\\\\\.*\" 0))))) (not (file_operation_396 (cid ?cid))) => (assert (file_operation_396 (cid ?cid))))"},"AGENT_OS_LINUX":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"BIOC-wlanapi.dll created to disk (Netman LPE)","tactic_id":["TA0004"],"technique_id":["T1574.001"],"biocRuleName":"BIOC-wlanapi.dll created to disk (Netman LPE)","biocId":396,"additionalData":"{}"}}},"rule_data":"(deftemplate file_operation_396 (slot cid)) (defrule file_operation_396 (file_operation (file_name ?file_name) (sub_type ?sub_type) (cid ?cid) (old_file_path ?old_file_path &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq (lowcase ?file_name) \"wlanapi.dll\") (not (regex (lowcase ?old_file_path) \"c:\\\\\\\\windows\\\\\\\\.*\" 0))))) (not (file_operation_396 (cid ?cid))) => (assert (file_operation_396 (cid ?cid))))"}},"btp_rule_name":"file_operation_396","is_preventable":1,"supported_os":7,"btp_validation_error":null,"xql":null,"is_xql":false,"query_tables":null,"rule_indicator_last_modified_ts":1689000053662,"status_changed_by":null,"status_changed_at":null,"last_status_change_reason":null}] -------------------------------------------------------------------------------- /BIOC-wlanapi.dll_LPE.md: -------------------------------------------------------------------------------- 1 | * rule_id: 396 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1689000053662 5 | * modify_time: 1689000053662 6 | * severity: SEV_030_MEDIUM 7 | * source: frank.bussink@e-xpertsolutions.com 8 | * comment: Netman service has a reference to wlanapi.dll. This can lead to LPE on 2008R2 and 2019 Servcer. As a result, the creation of this file may be indicative of Local Privilege escalation by DLL hijacking as the svchost process runs under NT AUTHORITY\SYSTEM. More info here : https://itm4n.github.io/windows-server-netman-dll-hijacking/ 9 | * status: ENABLED 10 | * category: PRIVILEGE_ESCALATION 11 | * ## Indicator ## 12 | * runOnCGO: False 13 | * investigationType: FILE_EVENT 14 | * ### Investigation ### 15 | * #### File_Event #### 16 | * ##### Filter ##### 17 | * ###### And ###### 18 | * ###### Or ###### 19 | * SEARCH_FIELD: event_sub_type 20 | * SEARCH_TYPE: EQ 21 | * SEARCH_VALUE: 1 22 | * isExtended: False 23 | * SEARCH_FIELD: event_sub_type 24 | * SEARCH_TYPE: EQ 25 | * SEARCH_VALUE: 3 26 | * isExtended: False 27 | * SEARCH_FIELD: event_sub_type 28 | * SEARCH_TYPE: EQ 29 | * SEARCH_VALUE: 6 30 | * isExtended: False 31 | * SEARCH_FIELD: action_file_name 32 | * SEARCH_TYPE: EQ 33 | * SEARCH_VALUE: wlanapi.dll 34 | * ###### Extra_Fields ###### 35 | * isExtended: False 36 | * node: attributes 37 | * SEARCH_FIELD: action_file_previous_file_path 38 | * SEARCH_TYPE: REGEX_NOT 39 | * SEARCH_VALUE: C:\\Windows\\.* 40 | * ###### Extra_Fields ###### 41 | * isExtended: False 42 | * node: attributes 43 | * indicator_md5: 6947ad0f538332d518b71e8e83821d8e 44 | * indicator_text: File action type = create, rename, write AND file name = wlanapi.dll AND file previous path !=~ C:\\Windows\\.* 45 | * name: BIOC-wlanapi.dll created to disk (Netman LPE) 46 | * mitre_technique_id_and_name: T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking 47 | * mitre_tactic_id_and_name: TA0004 - Privilege Escalation 48 | * mitre_tactic_id: TA0004 49 | * mitre_technique_id: T1574.001 50 | * ## Btp_Rule ## 51 | * ### Agent_Os_Windows ### 52 | * #### Signatureconfiguration #### 53 | * ##### Default ##### 54 | * ###### Settings ###### 55 | * action: block 56 | * friendlyName: BIOC-wlanapi.dll created to disk (Netman LPE) 57 | * ###### Tactic_Id ###### 58 | * 0: TA0004 59 | * ###### Technique_Id ###### 60 | * 0: T1574.001 61 | * biocRuleName: BIOC-wlanapi.dll created to disk (Netman LPE) 62 | * biocId: 396 63 | * additionalData: {} 64 | * rule_data: (deftemplate file_operation_396 (slot cid)) (defrule file_operation_396 (file_operation (file_name ?file_name) (sub_type ?sub_type) (cid ?cid) (old_file_path ?old_file_path &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "wlanapi.dll") (not (regex ?old_file_path "c:\\\\windows\\\\.*" 0))))) (not (file_operation_396 (cid ?cid))) => (assert (file_operation_396 (cid ?cid)))) 65 | * ### Agent_Os_Mac ### 66 | * #### Signatureconfiguration #### 67 | * ##### Default ##### 68 | * ###### Settings ###### 69 | * action: block 70 | * friendlyName: BIOC-wlanapi.dll created to disk (Netman LPE) 71 | * ###### Tactic_Id ###### 72 | * 0: TA0004 73 | * ###### Technique_Id ###### 74 | * 0: T1574.001 75 | * biocRuleName: BIOC-wlanapi.dll created to disk (Netman LPE) 76 | * biocId: 396 77 | * additionalData: {} 78 | * rule_data: (deftemplate file_operation_396 (slot cid)) (defrule file_operation_396 (file_operation (file_name ?file_name) (sub_type ?sub_type) (cid ?cid) (old_file_path ?old_file_path &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq ?file_name "wlanapi.dll") (not (regex ?old_file_path "c:\\\\windows\\\\.*" 0))))) (not (file_operation_396 (cid ?cid))) => (assert (file_operation_396 (cid ?cid)))) 79 | * ### Agent_Os_Linux ### 80 | * #### Signatureconfiguration #### 81 | * ##### Default ##### 82 | * ###### Settings ###### 83 | * action: block 84 | * friendlyName: BIOC-wlanapi.dll created to disk (Netman LPE) 85 | * ###### Tactic_Id ###### 86 | * 0: TA0004 87 | * ###### Technique_Id ###### 88 | * 0: T1574.001 89 | * biocRuleName: BIOC-wlanapi.dll created to disk (Netman LPE) 90 | * biocId: 396 91 | * additionalData: {} 92 | * rule_data: (deftemplate file_operation_396 (slot cid)) (defrule file_operation_396 (file_operation (file_name ?file_name) (sub_type ?sub_type) (cid ?cid) (old_file_path ?old_file_path &: (and (or (eq ?sub_type ?*file_create_new*) (eq ?sub_type ?*file_rename*) (eq ?sub_type ?*file_write*)) (eq (lowcase ?file_name) "wlanapi.dll") (not (regex (lowcase ?old_file_path) "c:\\\\windows\\\\.*" 0))))) (not (file_operation_396 (cid ?cid))) => (assert (file_operation_396 (cid ?cid)))) 93 | * btp_rule_name: file_operation_396 94 | * is_preventable: 1 95 | * supported_os: 7 96 | * btp_validation_error: None 97 | * xql: None 98 | * is_xql: False 99 | * query_tables: None 100 | * rule_indicator_last_modified_ts: 1689000053662 101 | * status_changed_by: None 102 | * status_changed_at: None 103 | * last_status_change_reason: None 104 | -------------------------------------------------------------------------------- /BIOC_PingCastle_ADCS_scanning.bioc: -------------------------------------------------------------------------------- 1 | 853cebc76865cb88de26d165fba901c5 2 | [{"rule_id":542,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1670590326287,"modify_time":1670591050090,"severity":"SEV_030_MEDIUM","source":"frank.bussink@scrt.ch","comment":"Probably PingCastle","status":"ENABLED","category":"RECONNAISSANCE","indicator":{"runOnCGO":true,"investigationType":"WINDOWS_EVENT_LOG","investigation":{"WINDOWS_EVENT_LOG":{"filter":{"AND":[{"SEARCH_FIELD":"action_evtlog_data_fields","SEARCH_TYPE":"REGEX","SEARCH_VALUE":"certificateTemplates","EXTRA_FIELDS":[],"isExtended":false,"node":"attributes"},{"OR":[{"SEARCH_FIELD":"actor_process_image_name","SEARCH_TYPE":"EQ","SEARCH_VALUE":"Microsoft.ActiveDirectory.WebServices.exe","EXTRA_FIELDS":["causality_actor_process_image_name","os_actor_process_image_name"],"isExtended":false,"node":"xdr_actor"},{"SEARCH_FIELD":"causality_actor_process_image_name","SEARCH_TYPE":"EQ","SEARCH_VALUE":"Microsoft.ActiveDirectory.WebServices.exe","isExtended":true,"node":"xdr_actor"},{"SEARCH_FIELD":"os_actor_process_image_name","SEARCH_TYPE":"EQ","SEARCH_VALUE":"Microsoft.ActiveDirectory.WebServices.exe","isExtended":true,"node":"xdr_actor"}]},{"SEARCH_FIELD":"action_evtlog_event_id","SEARCH_TYPE":"EQ","SEARCH_VALUE":"30","EXTRA_FIELDS":[],"isExtended":false}]}}}},"indicator_md5":"725628dc77b3f1e3f9788d48ebfbb532","indicator_text":"Event Log event log raw data =~ certificateTemplates AND event log id = 30 Process initiated by = Microsoft.ActiveDirectory.WebServices.exe, cgo name = Microsoft.ActiveDirectory.WebServices.exe, os parent name = Microsoft.ActiveDirectory.WebServices.exe","name":"ADCS querying information via ADWS (PingCastle ?)","mitre_technique_id_and_name":"T1018 - Remote System Discovery","mitre_tactic_id_and_name":"","mitre_tactic_id":"","mitre_technique_id":"T1018","btp_rule":{"AGENT_OS_WINDOWS":{"signatureConfiguration":{"default":{"settings":{"action":"block","friendlyName":"ADCS querying information via ADWS (PingCastle ?)","tactic_id":[],"technique_id":["T1018"],"biocRuleName":"ADCS querying information via ADWS (PingCastle ?)","biocId":542,"additionalData":"{}"}}},"rule_data":"(deftemplate log_event_542 (slot cid)) (defrule log_event_542 (process_start (cid ?cid) (instance_id ?parent_instance_id) (process_image_name ?act_process_image_name &: (eq ?act_process_image_name \"microsoft.activedirectory.webservices.exe\"))) (log_event (raw_data_fields ?raw_data_fields) (instance_id ?os_act_parent_instance_id) (actor_instance_id ?act_parent_instance_id) (cid ?cid) (log_event_id ?log_event_id &: (and (regex ?raw_data_fields \"certificatetemplates\" 0) (and (eq ?act_process_image_name \"microsoft.activedirectory.webservices.exe\") (eq ?act_parent_instance_id ?parent_instance_id)) (eq ?log_event_id 30)))) (not (log_event_542 (cid ?cid))) => (assert (log_event_542 (cid ?cid))))"}},"btp_rule_name":"log_event_542","is_preventable":1,"supported_os":1,"btp_validation_error":"WINDOWS_SUPPORT_ONLY","xql":null,"is_xql":false,"query_tables":null,"rule_indicator_last_modified_ts":1670591024402}] -------------------------------------------------------------------------------- /Forensic_4624_type_10: -------------------------------------------------------------------------------- 1 | dataset = forensics_event_log 2 | | filter SOURCE = "Security" 3 | | filter (event_id = 4624) 4 | // en Francais 5 | | alter Logon_Type_FR = arrayindex(regextract(MESSAGE, "Type d'ouverture de session.*?(\d+)\r\n"),0) 6 | // English version 7 | | alter Logon_Type_EN = arrayindex(regextract(MESSAGE, "Logon Type.*?(\d+)\r\n"),0) 8 | | alter Logon_Type_EN2 = arrayindex(regextract(MESSAGE, "LogonType=.*?(\d+)"),0) 9 | | filter (Logon_Type_EN = "10") or (Logon_Type_EN2 = "10") or (Logon_Type_FR = "10") 10 | | alter event_generated2 = to_timestamp(event_generated,"MILLIS") 11 | -------------------------------------------------------------------------------- /LICENCE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2023, k4nfr3 4 | 5 | Redistribution and use in source and binary forms, with or without 6 | modification, are permitted provided that the following conditions are met: 7 | 8 | 1. Redistributions of source code must retain the above copyright notice, this 9 | list of conditions and the following disclaimer. 10 | 11 | 2. Redistributions in binary form must reproduce the above copyright notice, 12 | this list of conditions and the following disclaimer in the documentation 13 | and/or other materials provided with the distribution. 14 | 15 | 3. Neither the name of the copyright holder nor the names of its 16 | contributors may be used to endorse or promote products derived from 17 | this software without specific prior written permission. 18 | 19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # XDR_scripts (no longer maintained) 2 | 3 | This repo is **no longer maintained !** (24.02.2025) 4 | 5 | All new custom BIOC and custom Correlations rules will be published in a private repository. 6 | If you want to be added to the private repo, contact me (email, twitter github), and I can add you to do but I require contributions as research is time consuming or a NDA. 7 | Competing companies have used my signatures without my consent and without mentioning my work. 8 | 9 | 10 | 11 | ## A few custom BIOC signature 12 | - some LPE(s) 13 | - PetitPotam (from Coercer) 14 | - privesc on some DLL creation 15 | - Lsass memory dump via microsoft TTTracer 16 | 17 | ## A few XQL queries which can be used for widgets 18 | - one for detecting Canary accounts (which will be trigguered via Kerberoasting attack) 19 | 20 | ## A few XDR Scripts 21 | 22 | - ProcDump.py is as you might expect to run a ProcDump on a process pid. pid to be passed as argument. (this is not my code but from somebody I don't know ) 23 | 24 | - Fullmemorydump.py is as you might expect to run winpmem to get the entire memory dump for Forensic purpose. 25 | 26 | ## A few XDR Collector Filebeat configurations 27 | 28 | 29 | ## A Python script uploading IOC to XDR tenant via API rest 30 | 31 | - XDR_loldriver.io_update_IOC.py 32 | 33 | 34 | ## My whish list of improvements for Cortex XDR 35 | 36 | - ~~Original filenames field in process events and other data~~ (actor_process_file_original_name for example) 37 | - Driver load signature field (against BYOVD) 38 | - BIOC specific fields to report in a Alert (basically give in the Alert the fields you want to show to the operator) 39 | - Every hour or so, check your own subscription as a ETW provider (against BYOVD) 40 | -------------------------------------------------------------------------------- /SCRT_PetitPotam-Authentication-Coercer.md: -------------------------------------------------------------------------------- 1 | * rule_id: 535 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1658397007681 5 | * modify_time: 1658397007681 6 | * severity: SEV_040_HIGH 7 | * source: frank.bussink@scrt.ch 8 | * comment: SCRT BIOC to detect MS-EFSR RPC calls 9 | * status: ENABLED 10 | * category: CREDENTIAL_ACCESS 11 | * indicator: None 12 | * indicator_md5: 63ff8e3fd8bf3c789420808d33882451 13 | * indicator_text: dataset = xdr_data 14 | | filter EVENT_TYPE = RPC_CALL 15 | | filter event_rpc_interface_uuid = "{C681D488-D850-11D0-8C52-00C04FD90F7E}" 16 | | filter ((action_rpc_func_opnum = 0) or (action_rpc_func_opnum = 4) or (action_rpc_func_opnum = 5) or (action_rpc_func_opnum = 6) or (action_rpc_func_opnum = 7) or (action_rpc_func_opnum = 12)) 17 | * name: SCRT-PetitPotam-Authentication-Coercer 18 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 19 | * mitre_tactic_id_and_name: TA0006 - Credential Access 20 | * mitre_tactic_id: TA0006 21 | * mitre_technique_id: T1003 22 | * btp_rule: None 23 | * btp_rule_name: None 24 | * is_preventable: 0 25 | * supported_os: None 26 | * btp_validation_error: None 27 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$EVENT_TYPE", "OPERATOR": "EQ", "RIGHT": "$RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{C681D488-D850-11D0-8C52-00C04FD90F7E}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"OR": [{"OR": [{"OR": [{"OR": [{"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 0, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 4, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 5, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 6, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 7, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}, {"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 12, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 28 | * is_xql: True 29 | * query_tables: ["xdr_data"] 30 | * rule_indicator_last_modified_ts: 1658397007681 31 | -------------------------------------------------------------------------------- /SCRT_PetitPotam_DFSNM_Authenticaton_Coercer.md: -------------------------------------------------------------------------------- 1 | * rule_id: 537 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1658410759398 5 | * modify_time: 1658410759398 6 | * severity: SEV_020_LOW 7 | * source: frank.bussink@scrt.ch 8 | * comment: SCRT rule to detect Authentication Coerce PetitPotam on MS-DFSNM Op 12 or Op 13 9 | * status: ENABLED 10 | * category: CREDENTIAL_ACCESS 11 | * indicator: None 12 | * indicator_md5: a8d61ecc099487a2152fe07ca680bf06 13 | * indicator_text: dataset = xdr_data 14 | | filter event_type = ENUM.RPC_CALL 15 | | filter (event_rpc_interface_uuid = "{4FC742E0-4A10-11CF-8273-00AA004AE673}" ) 16 | | filter ((event_rpc_func_opnum = 12) or (event_rpc_func_opnum = 13)) 17 | 18 | * name: SCRT_PetitPotam_MS_DFSNM_Authentication_Coerce 19 | * mitre_technique_id_and_name: T1003 - OS Credential Dumping 20 | * mitre_tactic_id_and_name: TA0006 - Credential Access 21 | * mitre_tactic_id: TA0006 22 | * mitre_technique_id: T1003 23 | * btp_rule: None 24 | * btp_rule_name: None 25 | * is_preventable: 0 26 | * supported_os: None 27 | * btp_validation_error: None 28 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$event_type", "OPERATOR": "EQ", "RIGHT": "$ENUM.RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{4FC742E0-4A10-11CF-8273-00AA004AE673}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 12, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}, {"LEFT": "$event_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 13, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 29 | * is_xql: True 30 | * query_tables: ["xdr_data"] 31 | * rule_indicator_last_modified_ts: 1658410759398 32 | -------------------------------------------------------------------------------- /SCRT_PetitPotam_Spoolss_Authentication_Coercer.md: -------------------------------------------------------------------------------- 1 | * rule_id: 535 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1658397007681 5 | * modify_time: 1658410787888 6 | * severity: SEV_020_LOW 7 | * source: frank.bussink@scrt.ch 8 | * comment: SCRT BIOC to detect MS-RPRN RpcRemoteFindFirstPrinterChangeNotificationEx 9 | * status: ENABLED 10 | * category: CREDENTIAL_ACCESS 11 | * indicator: None 12 | * indicator_md5: 2b19fe216d6e1efff594f0453f07dc67 13 | * indicator_text: dataset = xdr_data 14 | | filter EVENT_TYPE = RPC_CALL 15 | | filter event_rpc_interface_uuid = "{12345678-1234-ABCD-EF00-0123456789AB}" 16 | | filter ((action_rpc_func_opnum = 65) ) 17 | * name: SCRT-PetitPotam-Spoolss-Authentication-Coercer 18 | * mitre_technique_id_and_name: 19 | * mitre_tactic_id_and_name: 20 | * mitre_tactic_id: 21 | * mitre_technique_id: 22 | * btp_rule: None 23 | * btp_rule_name: None 24 | * is_preventable: 0 25 | * supported_os: 0 26 | * btp_validation_error: UNSUPPORTED_XQL 27 | * xql: {"tables": ["xdr_data"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$EVENT_TYPE", "OPERATOR": "EQ", "RIGHT": "$RPC_CALL", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_rpc_interface_uuid", "OPERATOR": "EQ", "RIGHT": "{12345678-1234-ABCD-EF00-0123456789AB}", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$action_rpc_func_opnum", "OPERATOR": "EQ", "RIGHT": 65, "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 28 | * is_xql: True 29 | * query_tables: ["xdr_data"] 30 | * rule_indicator_last_modified_ts: 1658404769097 31 | -------------------------------------------------------------------------------- /SCRT_invalid_driver_hunt.bioc: -------------------------------------------------------------------------------- 1 | baa87c7569513e491e98c5a66377b011 2 | [{"rule_id":542,"global_rule_id":"NO_ID","mssp_global_rule_id":null,"insert_time":1669279818847,"modify_time":1669279818847,"severity":"SEV_020_LOW","source":"frank.bussink@scrt.ch","comment":"Might be prone to False Positives. It's just an information","status":"ENABLED","category":"TAMPERING","indicator":null,"indicator_md5":"4d55807a2ddb8dba6626e2bd329c94ea","indicator_text":"preset = xdr_image_load \r\n| filter action_module_path ~= \".*\\.sys$\"\r\n| filter event_type = ENUM.LOAD_IMAGE \r\n| filter (actor_process_signature_status = SIGNED_INVALID) ","name":"SCRT Hunt for invalid driver signature","mitre_technique_id_and_name":"T1068 - Exploitation for Privilege Escalation","mitre_tactic_id_and_name":"","mitre_tactic_id":"","mitre_technique_id":"T1068","btp_rule":null,"btp_rule_name":null,"is_preventable":0,"supported_os":null,"btp_validation_error":null,"xql":"{\"presets\": [\"xdr_image_load\"], \"stages\": [{\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$action_module_path\", \"OPERATOR\": \"REGEX\", \"RIGHT\": \".*\\\\.sys$\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$event_type\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"$ENUM.LOAD_IMAGE\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}, {\"FILTER\": {\"filter\": {\"OR\": [{\"LEFT\": \"$actor_process_signature_status\", \"OPERATOR\": \"EQ\", \"RIGHT\": \"$SIGNED_INVALID\", \"FILTER_DIALECT\": \"EXTENDED_FILTER_OBJ\"}]}}}]}","is_xql":true,"query_tables":"[\"xdr_data\"]","rule_indicator_last_modified_ts":1669279818847}] -------------------------------------------------------------------------------- /SCRT_invalid_driver_hunt.md: -------------------------------------------------------------------------------- 1 | * rule_id: 542 2 | * global_rule_id: NO_ID 3 | * mssp_global_rule_id: None 4 | * insert_time: 1669279818847 5 | * modify_time: 1669279818847 6 | * severity: SEV_020_LOW 7 | * source: frank.bussink@scrt.ch 8 | * comment: Might be prone to False Positives. It's just an information 9 | * status: ENABLED 10 | * category: TAMPERING 11 | * indicator: None 12 | * indicator_md5: 4d55807a2ddb8dba6626e2bd329c94ea 13 | * indicator_text: preset = xdr_image_load 14 | | filter action_module_path ~= ".*\.sys$" 15 | | filter event_type = ENUM.LOAD_IMAGE 16 | | filter (actor_process_signature_status = SIGNED_INVALID) 17 | * name: SCRT Hunt for invalid driver signature 18 | * mitre_technique_id_and_name: T1068 - Exploitation for Privilege Escalation 19 | * mitre_tactic_id_and_name: 20 | * mitre_tactic_id: 21 | * mitre_technique_id: T1068 22 | * btp_rule: None 23 | * btp_rule_name: None 24 | * is_preventable: 0 25 | * supported_os: None 26 | * btp_validation_error: None 27 | * xql: {"presets": ["xdr_image_load"], "stages": [{"FILTER": {"filter": {"OR": [{"LEFT": "$action_module_path", "OPERATOR": "REGEX", "RIGHT": ".*\\.sys$", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$event_type", "OPERATOR": "EQ", "RIGHT": "$ENUM.LOAD_IMAGE", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}, {"FILTER": {"filter": {"OR": [{"LEFT": "$actor_process_signature_status", "OPERATOR": "EQ", "RIGHT": "$SIGNED_INVALID", "FILTER_DIALECT": "EXTENDED_FILTER_OBJ"}]}}}]} 28 | * is_xql: True 29 | * query_tables: ["xdr_data"] 30 | * rule_indicator_last_modified_ts: 1669279818847 31 | -------------------------------------------------------------------------------- /Widget_Agent_Type: -------------------------------------------------------------------------------- 1 | dataset = endpoints 2 | | filter endpoint_status= ENUM.CONNECTED OR endpoint_status= ENUM.DISCONNECTED 3 | | comp count(endpoint_id ) as nbr_devices by endpoint_type 4 | | view graph type = pie subtype = full xaxis = endpoint_type yaxis = nbr_devices valuecolor("TYPE_WORKSTATION","#0fd1ee") valuecolor("TYPE_SERVER","#d407fa") seriestitle("nbr_devices","Device Type") 5 | -------------------------------------------------------------------------------- /Widget_Network_Probes_Last_events: -------------------------------------------------------------------------------- 1 | dataset = panw_ngfw_traffic_raw 2 | | fields _time, log_source_name 3 | | alter currenttime = current_time() 4 | | comp latest(_time) as LastTime by log_source_name,currenttime 5 | | alter DiffMinutes = timestamp_diff( LastTime , currenttime, "MINUTE" ) 6 | | fields log_source_name, LastTime , DiffMinutes 7 | | sort asc log_source_name 8 | -------------------------------------------------------------------------------- /XDR-Collector-config-DHCP-Filebeat.txt: -------------------------------------------------------------------------------- 1 | filebeat.inputs: 2 | - type: filestream 3 | enabled: true 4 | paths: 5 | - c:\Windows\System32\dhcp\DhcpSrvLog*.log 6 | 7 | processors: 8 | - dissect: 9 | tokenizer: "%{id},%{date},%{time},%{description},%{ipAddress},%{hostName},%{macAddress},%{userName},%{transactionID},%{qResult},%{probationTime},%{correlationID},%{dhcid},%{vendorClassHex},%{vendorClassASCII},%{userClassHex},%{userClassASCII},%{relayAgentInformation},%{dnsRegError}" 10 | - drop_event.when.not.regexp.message: "^[0-9]+,.*" 11 | - drop_fields: 12 | fields: ["message"] 13 | - add_locale: ~ 14 | - rename: 15 | fields: 16 | - from: "event.timezone" 17 | to: "dissect.timezone" 18 | ignore_missing: false 19 | fail_on_error: false 20 | - add_cloud_metadata: ~ 21 | - add_docker_metadata: ~ 22 | - add_kubernetes_metadata: ~ 23 | - add_tags: 24 | tags: [windows_dhcp] 25 | target: "xdr_log_type" 26 | -------------------------------------------------------------------------------- /XDR_Collector_Exchange_Msg_Tracking: -------------------------------------------------------------------------------- 1 | filebeat.inputs: 2 | - type: filestream 3 | enabled: true 4 | paths: 5 | - C:\MessageTracking\*.LOG 6 | 7 | processors: 8 | - dissect: 9 | tokenizer: "%{date-time},%{client-ip},%{client-hostname},%{server-ip},%{server-hostname},\"%{source-context}\",%{connector-id},%{source},%{event-id},%{internal-message-id},%{message-id},%{network-message-id},%{recipient-address},%{recipient-status},%{total-bytes|integer},%{recipient-count|integer},%{related-recipient-address},%{reference},%{message-subject},%{sender-address},%{return-path},%{message-info},%{directionality},%{tenant-id},%{original-client-ip},%{original-server-ip},%{custom-data},%{transport-traffic-type},%{log-id},%{schema-version}" 10 | field: "message" 11 | - add_fields: 12 | fields: 13 | vendor: Microsoft 14 | product: Exchange 15 | - add_locale: ~ 16 | - rename: 17 | fields: 18 | - from: "event.timezone" 19 | to: "dissect.timezone" 20 | ignore_missing: true 21 | fail_on_error: false 22 | - add_tags: 23 | tags: [microsoft_exchange] 24 | target: "xdr_log_type" 25 | -------------------------------------------------------------------------------- /XDR_Collector_config_IIS.txt: -------------------------------------------------------------------------------- 1 | filebeat.modules: 2 | - module: iis 3 | access: 4 | enabled: true 5 | var.paths: ["C:/inetpub/logs/LogFiles/*/*.log"] 6 | error: 7 | enabled: true 8 | var.paths: ["C:/Windows/System32/LogFiles/HTTPERR/*.log"] 9 | -------------------------------------------------------------------------------- /XDR_loldriver.io_update_IOC.md: -------------------------------------------------------------------------------- 1 | # Loldriver IOC to Cortex XDR 2 | This is a python script to update your Cortex XDR tenant with the list of IOCs from [loldriver.io](https://loldriver.io) using the API rest. 3 | 4 | Nothing fancy, but I think it's a reliable source of IOC of vulnerable drivers which can lead to EDR comprimise. 5 | 6 | Create a new advanced API key with the minimum following roles : 7 | 8 | ![role](https://github.com/k4nfr3/XDR_scripts/blob/main/images/xdr_loldriver_api_role.png) 9 | -------------------------------------------------------------------------------- /XDR_loldriver.io_update_IOC.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import xml.etree.ElementTree as ET 3 | import pandas as pd 4 | 5 | from datetime import datetime, timezone 6 | import secrets 7 | import string 8 | import hashlib 9 | import json 10 | import math 11 | 12 | def download_xml_content(url): 13 | response = requests.get(url) 14 | if response.status_code == 200: 15 | return response.content 16 | else: 17 | print("Failed to download XML content from URL :" + str(url)) 18 | return None 19 | 20 | 21 | def log(message): 22 | log_file_path="log.txt" 23 | log_to_file = False 24 | 25 | timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S") 26 | 27 | log_message = f"[{timestamp}] {message}" 28 | 29 | # Print the message with timestamp to the screen 30 | print(log_message) 31 | 32 | if log_to_file: # only if set to True above 33 | # Log the message to a file 34 | with open(log_file_path, "a") as log_file: 35 | log_file.write(log_message + "\n") 36 | 37 | def extract_content(xml): 38 | root = ET.fromstring(xml) 39 | content_list = [] 40 | for element in root.iter(): 41 | if element.tag.startswith("Hashes"): 42 | mysplit= element.text.split("=") 43 | if len(mysplit) == 2: 44 | if (mysplit[0] == "MD5") or (mysplit[0] == "SHA256"): 45 | content_list.append([mysplit[0], mysplit[1]]) 46 | return content_list 47 | 48 | def create_table(content_list): 49 | df = pd.DataFrame(content_list, columns=["Type", "Content"]) 50 | return df 51 | 52 | 53 | def upload_IOC_to_xdr(xdr_url, api_key_id, api_key, hashtable): 54 | # Generate a 64 bytes random string 55 | nonce = "".join([secrets.choice(string.ascii_letters + string.digits) for _ in range(64)]) 56 | # Get the current timestamp as milliseconds. 57 | timestamp = int(datetime.now(timezone.utc).timestamp()) * 1000 58 | # Generate the auth key: 59 | auth_key = "%s%s%s" % (api_key, nonce, timestamp) 60 | # Convert to bytes object 61 | auth_key = auth_key.encode("utf-8") 62 | # Calculate sha256: 63 | api_key_hash = hashlib.sha256(auth_key).hexdigest() 64 | # Generate HTTP call headers 65 | headers = { 66 | "Content-Type": "application/json", 67 | "Accept": "application/json", 68 | "x-xdr-timestamp": str(timestamp), 69 | "x-xdr-nonce": nonce, 70 | "x-xdr-auth-id": str(api_key_id), 71 | "Authorization": api_key_hash 72 | } 73 | # Calculate the timestamp for 7 days 74 | seven_days_timestamp = int((datetime.now().timestamp() * 1000) + (7 * 24 * 60 * 60*1000)) 75 | 76 | 77 | # Get the total number of rows in the table 78 | total_rows = len(hashtable) 79 | 80 | # Calculate the number of iterations required 81 | iterations = math.ceil(total_rows / 100) 82 | 83 | # Loop through the table in steps of 100 84 | for i in range(iterations): 85 | start_index = i * 100 86 | end_index = min((i + 1) * 100, total_rows) 87 | 88 | payload = { 89 | "request_data": [ 90 | ], 91 | "validate": True 92 | } 93 | 94 | # Iterate over the rows within the current step 95 | mycount=0 96 | for index, row in table.iloc[start_index:end_index].iterrows(): 97 | #log("Type: "+ row["Type"] + " Content: " + row["Content"]) 98 | new_hash = { 99 | "indicator": row["Content"], 100 | "type": "HASH", 101 | "comment": "IOC from loldriver.IO", 102 | "reputation": "GOOD", 103 | "reliability": "C", 104 | "severity": "HIGH", 105 | "class": "Vulnerable Driver", 106 | "expiration_date": seven_days_timestamp 107 | } 108 | mycount+=1 109 | # Append the new member to the "request_data" list 110 | payload["request_data"].append(new_hash) 111 | 112 | # Convert the updated payload back to JSON 113 | #updated_payload = json.dumps(payload) 114 | 115 | res = requests.post(url="https://api-" + xdr_url + "/public_api/v1/indicators/insert_jsons", 116 | headers=headers, 117 | json=payload) 118 | if res.reason != "OK": 119 | log("ERROR posting content to XDR @ " + xdr_url) 120 | log(str(headers)) 121 | log(str(payload)) 122 | log(str(res)) 123 | log(str(res.reason)) 124 | else: 125 | data = json.loads(res.text) 126 | try: 127 | if data['reply']['success'] == True: 128 | log("POST successfull of : " + str(mycount) + " Hashes") 129 | else: 130 | log("Error" + str(data['reply']['validation_errors'])) 131 | log("Error got " + str(len(data['reply']['validation_errors']))+ " errors") 132 | except: 133 | log("Error in request but didn't get success status" + str(res.text)) 134 | return res 135 | 136 | 137 | 138 | 139 | 140 | 141 | # Press the green button in the gutter to run the script. 142 | api_key_id = "xyz" 143 | api_key = "***************************************" 144 | XDR_fqdn = ".xdr.eu.paloaltonetworks.com" 145 | 146 | if __name__ == '__main__': 147 | # URL of the XML file 148 | xml_url = "https://raw.githubusercontent.com/magicsword-io/LOLDrivers/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" 149 | 150 | # Download the XML content 151 | xml_content = download_xml_content(xml_url) 152 | 153 | if xml_content: 154 | # Extract the content from XML 155 | content_list = extract_content(xml_content) 156 | 157 | # Create a table with the extracted content 158 | table = create_table(content_list) 159 | log("Download successfull of : " + str(len(table)) + " Hashes") 160 | upload_IOC_to_xdr(XDR_fqdn, api_key_id, api_key, table) 161 | 162 | -------------------------------------------------------------------------------- /XQL_4624_successfull_Logons: -------------------------------------------------------------------------------- 1 | dataset = xdr_data // Using the xdr dataset 2 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624 3 | | alter User_Name = replace(json_extract(action_evtlog_data_fields, "$.TargetUserName"),"\"","") 4 | | alter Domain_Name = replace(json_extract(action_evtlog_data_fields, "$.TargetDomainName"),"\"","") 5 | | alter Logon_Type = replace(json_extract(action_evtlog_data_fields, "$.LogonType"),"\"","") 6 | | filter (Domain_Name not in ("Font Driver Host", "Window Manager")) 7 | | filter Logon_Type != "11" 8 | | alter Logon_type_desc = "" 9 | | alter Logon_type_desc = if(Logon_Type = "2", "Interactive", Logon_type_desc) 10 | | alter Logon_type_desc = if(Logon_Type = "3", "Network", Logon_type_desc) 11 | | alter Logon_type_desc = if(Logon_Type = "4", "Batch", Logon_type_desc) 12 | | alter Logon_type_desc = if(Logon_Type = "5", "Service", Logon_type_desc) 13 | | alter Logon_type_desc = if(Logon_Type = "7", "Unlock", Logon_type_desc) 14 | | alter Logon_type_desc = if(Logon_Type = "8", "NetworkClearText", Logon_type_desc) 15 | | alter Logon_type_desc = if(Logon_Type = "9", "NewCreds like RunAs", Logon_type_desc) 16 | | alter Logon_type_desc = if(Logon_Type = "10", "RemoteInteractive like RDP", Logon_type_desc) 17 | | alter Logon_type_desc = if(Logon_Type = "11", "CachedInteractive", Logon_type_desc) 18 | | fields agent_hostname , agent_ip_addresses , actor_effective_username , User_Name, Domain_Name, Logon_Type, Logon_type_desc 19 | -------------------------------------------------------------------------------- /XQL_Account_Lockout: -------------------------------------------------------------------------------- 1 | dataset = xdr_data 2 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4740 3 | | alter EventFromComputer =arrayindex(regextract(action_evtlog_message, ".*Account Name:.*?(\w.*)\r\n"),0), SecurityID = arrayindex(regextract(action_evtlog_message, ".*Security ID:.*?(\w.*)\r\n"),0) 4 | | alter Computer = json_extract(action_evtlog_data_fields,"$.TargetDomainName") 5 | | alter AccountName = json_extract(action_evtlog_data_fields,"$.TargetUserName") 6 | | alter AccountName = trim(AccountName,"\"") 7 | | alter Computer = trim(Computer,"\"") 8 | | fields AccountName, Computer, EventFromComputer , SecurityID 9 | -------------------------------------------------------------------------------- /XQL_Computer_Account_created.txt: -------------------------------------------------------------------------------- 1 | dataset = xdr_data 2 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4741 3 | | filter action_evtlog_message ~= ".*A computer account was created.*" 4 | | alter AccountName = arrayindex(regextract(action_evtlog_message, ".*Account Name:.*?(\w.*)\r\n"),0), AccountDomain = arrayindex(regextract(action_evtlog_message, "Account Domain:.*?(\w.*)\r\n"),0), SAM = arrayindex(regextract(action_evtlog_message, ".*SAM Account Name:.*?(\w.*)\r\n"),0), PrivilegeList = arrayindex(regextract(action_evtlog_message, ".*Privileges.*?(\w.*)\r\n"),0) 5 | | fields AccountName as Creator_Account, AccountDomain as Domain , SAM as Account_created, PrivilegeList, action_evtlog_event_id, action_evtlog_message as raw // Select all the fields to show them 6 | 7 | 8 | 9 | XDR BIOC Rule 10 | ============= 11 | dataset = xdr_data 12 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4741 13 | | filter action_evtlog_message ~= ".*A computer account was created.*" 14 | | alter AccountName = arrayindex(regextract(action_evtlog_message, ".*Account Name:.*?(\w.*)\r\n"),0) 15 | | filter AccountName ~= ".*\$.*" 16 | 17 | in a nutshell, if a computer account was created from another computer account 18 | -------------------------------------------------------------------------------- /XQL_Failed_Logins.txt: -------------------------------------------------------------------------------- 1 | # Warning, this requires the XTH license 2 | # The proposed SQL query for EventId 4625 was missing the Logon Failure Codes 3 | 4 | # Here is a new proposal to add column FailCode and adds explaination in Failure_Reason 5 | 6 | dataset = xdr_data // Using the xdr dataset 7 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4625 // Filtering by windows event log and id 4625 8 | | alter User_Name =arrayindex(regextract(action_evtlog_message, "Account For Which Logon Failed:\r\n.*\r\n.*Account Name:.*?(\w.*)\r\n"),0), Logon_Type = arrayindex(regextract(action_evtlog_message, "Logon Type:.*?(\d+)\r\n"),0), Failure_Reason = arrayindex(regextract(action_evtlog_message,"Failure Reason:.*?(\w.*)\r\n"),0), Domain = arrayindex(regextract(action_evtlog_message, "Account For Which Logon Failed:\r\n.*\r\n.*.*\r\n.*Account Domain:.*?(\w.*?)\r\n"),0), Source_IP = arrayindex(regextract(action_evtlog_message, "Source Network Address:.*?(\d+\.\d+\.\d+\.\d+)\r\n"),0), Caller_Process_Name = arrayindex(regextract(action_evtlog_message, "Caller Process Name:.*?(\w.*)\r\n"),0), Host_Name = arrayindex(regextract(action_evtlog_message, "Workstation Name:.*?(\w.*)\r\n"),0), FailCode = arrayindex(regextract(action_evtlog_message, "Sub Status:.*?(\w.*)\r\n"),0) 9 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000064", "User name does not exist", Failure_Reason) 10 | | alter Failure_Reason = if(FailCode CONTAINS "0xC000006A", "Password is wrong", Failure_Reason) 11 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000234", "User is currently locked out", Failure_Reason) 12 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000072", "account is currently disabled", Failure_Reason) 13 | | alter Failure_Reason = if(FailCode CONTAINS "0xC000006F", "User tried to logon outside his day of week or time of day restriction", Failure_Reason) 14 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000070", "Workstation restriction", Failure_Reason) 15 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000193", "Account expiration", Failure_Reason) 16 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000071", "Expired password", Failure_Reason) 17 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000133", "Clock between DC and other computer too far out of sync", Failure_Reason) 18 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000224", "User is required to change password at next logon", Failure_Reason) 19 | | alter Failure_Reason = if(FailCode CONTAINS "0xC000015b", "The user has not been granted the requested logon type (aka logon right) at this machine", Failure_Reason) 20 | | fields User_Name, Host_Name, Domain, Logon_Type, FailCode, Failure_Reason, Source_IP, Caller_Process_Name // Select all the fields to show them 21 | -------------------------------------------------------------------------------- /XQL_Failed_Logins_francais.txt: -------------------------------------------------------------------------------- 1 | # Warning, this requires the XTH license 2 | dataset = xdr_data // Using the xdr dataset 3 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4625 // Filtering by windows event log and id 4625 4 | | alter User_Name =arrayindex(regextract(action_evtlog_message, "Compte pour lequel l’ouverture.*\r\n.*\r\n.*Nom du compte.*?(\w.*)\r\n"),0) 5 | | alter Logon_Type = arrayindex(regextract(action_evtlog_message, "Type d’ouverture de session.*?(\d+)\r\n"),0) 6 | | alter Logon_type_Reason = "" 7 | | alter Logon_Type_Reason = if(Logon_Type CONTAINS "2", "Interactive", Logon_Type_Reason) 8 | | alter Logon_Type_Reason = if(Logon_Type CONTAINS "3", "Network", Logon_Type_Reason) 9 | | alter Logon_Type_Reason = if(Logon_Type CONTAINS "4", "Batch", Logon_Type_Reason) 10 | | alter Logon_Type_Reason = if(Logon_Type CONTAINS "5", "Service", Logon_Type_Reason) 11 | | alter Logon_Type_Reason = if(Logon_Type CONTAINS "7", "Unlock", Logon_Type_Reason) 12 | | alter Logon_Type_Reason = if(Logon_Type CONTAINS "8", "NetworkCleartext", Logon_Type_Reason) 13 | | alter Logon_Type_Reason = if(Logon_Type CONTAINS "9", "NewCredntials", Logon_Type_Reason) 14 | | alter Logon_Type_Reason = if(Logon_Type CONTAINS "10", "RemoteInteractive", Logon_Type_Reason) 15 | | alter Logon_Type_Reason = if(Logon_Type CONTAINS "11", "CachedInteractive", Logon_Type_Reason) 16 | | alter Failure_Reason = arrayindex(regextract(action_evtlog_message,"Raison de l’échec :.*?(\w.*)\r\n"),0) 17 | | alter Domain = arrayindex(regextract(action_evtlog_message, "Compte pour lequel l’ouverture.*\r\n.*\r\n.*.*\r\n.*Domaine du compte.*?(\w.*?)\r\n"),0) 18 | | alter Source_IP = arrayindex(regextract(action_evtlog_message, "Adresse du réseau source.*?(\d+\.\d+\.\d+\.\d+)\r\n"),0) 19 | | alter Caller_Process_Name = arrayindex(regextract(action_evtlog_message, "Nom du processus de l’appelant.*?(\w.*)\r\n"),0) 20 | | alter Host_Name = arrayindex(regextract(action_evtlog_message, "Nom de la station de travail.*?(\w.*)\r\n"),0) 21 | | alter FailCode = arrayindex(regextract(action_evtlog_message, "Sous-état.*?(\w.*)\r\n"),0) 22 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000064", "User name does not exist", Failure_Reason) 23 | | alter Failure_Reason = if(FailCode CONTAINS "0xC000006A", "Password is wrong", Failure_Reason) 24 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000234", "User is currently locked out", Failure_Reason) 25 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000072", "account is currently disabled", Failure_Reason) 26 | | alter Failure_Reason = if(FailCode CONTAINS "0xC000006F", "User tried to logon outside his day of week or time of day restriction", Failure_Reason) 27 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000070", "Workstation restriction", Failure_Reason) 28 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000193", "Account expiration", Failure_Reason) 29 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000071", "Expired password", Failure_Reason) 30 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000133", "Clock between DC and other computer too far out of sync", Failure_Reason) 31 | | alter Failure_Reason = if(FailCode CONTAINS "0xC0000224", "User is required to change password at next logon", Failure_Reason) 32 | | alter Failure_Reason = if(FailCode CONTAINS "0xC000015b", "The user has not been granted the requested logon type (aka logon right) at this machine", Failure_Reason) 33 | | fields User_Name, Host_Name, Domain, Logon_Type,Logon_Type_Reason, FailCode, Failure_Reason, Source_IP, Caller_Process_Name // Select all the fields to show them 34 | -------------------------------------------------------------------------------- /XQL_General_event_logs: -------------------------------------------------------------------------------- 1 | dataset = xdr_data 2 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4771 3 | | fields action_evtlog_message 4 | 5 | -------------------------------------------------------------------------------- /XQL_Kerb_PreAuth_4771: -------------------------------------------------------------------------------- 1 | # Warning, this requires the XTH license 2 | dataset = xdr_data 3 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4771 4 | | alter User_Name =arrayindex(regextract(action_evtlog_message, ".*Account Name:.*?(\w.*)\r\n"),0), SecurityID = arrayindex(regextract(action_evtlog_message, ".*Security ID:.*?(\w.*)\r\n"),0), ServiceName = arrayindex(regextract(action_evtlog_message, "Service Name:.*?(\w.*)\r\n"),0), Source_IP = arrayindex(regextract(action_evtlog_message, "Client Address:.*?(\d+\.\d+\.\d+\.\d+)\r\n"),0), FailCode = arrayindex(regextract(action_evtlog_message, "Failure Code:.*?(\w.*)\r\n"),0), Host_Name = arrayindex(regextract(action_evtlog_message, "Workstation Name:.*?(\w.*)\r\n"),0), PreAuthType = arrayindex(regextract(action_evtlog_message, "Pre-Authentication Type:.*?(\w.*)\r\n"),0) 5 | | alter FailureReason = " " 6 | | alter FailureReason = if(FailCode CONTAINS "0x0", "No error", FailureReason) // from https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771 7 | | alter FailureReason = if(FailCode CONTAINS "0x1", "Client's entry in database has expired", FailureReason) 8 | | alter FailureReason = if(FailCode CONTAINS "0x2", "Server's entry in database has expired", FailureReason) 9 | | alter FailureReason = if(FailCode CONTAINS "0x3", "Requested protocol version number not supported", FailureReason) 10 | | alter FailureReason = if(FailCode CONTAINS "0x4", "Client's key encrypted in old master key", FailureReason) 11 | | alter FailureReason = if(FailCode CONTAINS "0x5", "Server's key encrypted in old master key", FailureReason) 12 | | alter FailureReason = if(FailCode CONTAINS "0x6", "Client not found in Kerberos database", FailureReason) 13 | | alter FailureReason = if(FailCode CONTAINS "0x7", "Server not found in Kerberos database", FailureReason) 14 | | alter FailureReason = if(FailCode CONTAINS "0x8", "Multiple principal entries in database", FailureReason) 15 | | alter FailureReason = if(FailCode CONTAINS "0x9", "The client or server has a null key", FailureReason) 16 | | alter FailureReason = if(FailCode CONTAINS "0xa", "Ticket not eligible for postdating", FailureReason) 17 | | alter FailureReason = if(FailCode CONTAINS "0xb", "Requested starttime is later than end time", FailureReason) 18 | | alter FailureReason = if(FailCode CONTAINS "0xc", "KDC policy rejects request", FailureReason) 19 | | alter FailureReason = if(FailCode CONTAINS "0xd", "KDC cannot accommodate requested option", FailureReason) 20 | | alter FailureReason = if(FailCode CONTAINS "0xe", "KDC has no support for encryption type", FailureReason) 21 | | alter FailureReason = if(FailCode CONTAINS "0xf", "KDC has no support for checksum type", FailureReason) 22 | | alter FailureReason = if(FailCode CONTAINS "0x10", "KDC has no support for PADATA type (pre-authentication data)", FailureReason) 23 | | alter FailureReason = if(FailCode CONTAINS "0x11", "KDC has no support for transited type", FailureReason) 24 | | alter FailureReason = if(FailCode CONTAINS "0x12", "Clients credentials have been revoked", FailureReason) 25 | | alter FailureReason = if(FailCode CONTAINS "0x13", "Credentials for server have been revoked", FailureReason) 26 | | alter FailureReason = if(FailCode CONTAINS "0x14", "TGT has been revoked", FailureReason) 27 | | alter FailureReason = if(FailCode CONTAINS "0x15", "Client not yet valid; try again later", FailureReason) 28 | | alter FailureReason = if(FailCode CONTAINS "0x16", "Server not yet valid; try again later", FailureReason) 29 | | alter FailureReason = if(FailCode CONTAINS "0x17", "Password has expired—change password to reset", FailureReason) 30 | | alter FailureReason = if(FailCode CONTAINS "0x18", "Pre-authentication information was invalid", FailureReason) 31 | | alter FailureReason = if(FailCode CONTAINS "0x19", "Additional pre-authentication required", FailureReason) 32 | | alter FailureReason = if(FailCode CONTAINS "0x1a", "Requested server and ticket don't match", FailureReason) 33 | | alter FailureReason = if(FailCode CONTAINS "0x1b", "Server principal valid for user2user only", FailureReason) 34 | | alter FailureReason = if(FailCode CONTAINS "0x1c", "KDC Policy rejects transited path", FailureReason) 35 | | alter FailureReason = if(FailCode CONTAINS "0x1d", "A service is not available", FailureReason) 36 | | alter FailureReason = if(FailCode CONTAINS "0x1f", "Integrity check on decrypted field failed", FailureReason) 37 | | alter FailureReason = if(FailCode CONTAINS "0x20", "Ticket expired", FailureReason) 38 | | alter FailureReason = if(FailCode CONTAINS "0x21", "Ticket not yet valid", FailureReason) 39 | | alter FailureReason = if(FailCode CONTAINS "0x22", "Request is a replay", FailureReason) 40 | | alter FailureReason = if(FailCode CONTAINS "0x23", "The ticket isn't for us", FailureReason) 41 | | alter FailureReason = if(FailCode CONTAINS "0x24", "Ticket and authenticator don't match", FailureReason) 42 | | alter FailureReason = if(FailCode CONTAINS "0x25", "Clock skew too great", FailureReason) 43 | | alter FailureReason = if(FailCode CONTAINS "0x26", "Incorrect net address", FailureReason) 44 | | alter FailureReason = if(FailCode CONTAINS "0x27", "Protocol version mismatch", FailureReason) 45 | | alter FailureReason = if(FailCode CONTAINS "0x28", "Invalid msg type", FailureReason) 46 | | alter FailureReason = if(FailCode CONTAINS "0x29", "Message stream modified", FailureReason) 47 | | alter FailureReason = if(FailCode CONTAINS "0x2a", "Message out of order", FailureReason) 48 | | alter FailureReason = if(FailCode CONTAINS "0x2c", "Specified version of key is not available", FailureReason) 49 | | alter FailureReason = if(FailCode CONTAINS "0x2d", "Service key not available", FailureReason) 50 | | alter FailureReason = if(FailCode CONTAINS "0x2e", "Mutual authentication failed", FailureReason) 51 | | alter FailureReason = if(FailCode CONTAINS "0x2f", "Incorrect message direction", FailureReason) 52 | | alter FailureReason = if(FailCode CONTAINS "0x30", "Alternative authentication method required", FailureReason) 53 | | alter FailureReason = if(FailCode CONTAINS "0x31", "Incorrect sequence number in message", FailureReason) 54 | | alter FailureReason = if(FailCode CONTAINS "0x32", "Inappropriate type of checksum in message", FailureReason) 55 | | alter FailureReason = if(FailCode CONTAINS "0x33", "Policy rejects transited path", FailureReason) 56 | | alter FailureReason = if(FailCode CONTAINS "0x34", "Response too big for UDP; retry with TCP", FailureReason) 57 | | alter FailureReason = if(FailCode CONTAINS "0x3c", "Generic error (description in e-text)", FailureReason) 58 | | alter FailureReason = if(FailCode CONTAINS "0x3d", "Field is too long for this implementation", FailureReason) 59 | | alter FailureReason = if(FailCode CONTAINS "0x43", "No TGT available to validate USER-TO-USER", FailureReason) 60 | | alter FailureReason = if(FailCode CONTAINS "0x45", "Ticket must be for USER-TO-USER", FailureReason) 61 | | fields User_Name, SecurityID, ServiceName, Source_IP,PreAuthType, Failcode, FailureReason // Select all the fields to show them 62 | -------------------------------------------------------------------------------- /XQL_Kerberoasting_of_canary_account: -------------------------------------------------------------------------------- 1 | # Warning, this requires the XTH license 2 | dataset = xdr_data // Using the xdr dataset 3 | | filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4769 4 | | alter ServiceName = json_extract(action_evtlog_data_fields,"$.ServiceName") 5 | | alter ServiceName = trim(ServiceName,"\"") 6 | | alter TicketEncryptionType = json_extract(action_evtlog_data_fields,"$.TicketEncryptionType") 7 | | alter TicketOptions= json_extract(action_evtlog_data_fields,"$.TicketOptions") 8 | | alter TargetUserName= json_extract(action_evtlog_data_fields,"$.TargetUserName") 9 | | alter IpAddress= json_extract(action_evtlog_data_fields,"$.IpAddress") 10 | | alter TicketEncryptionTypeName = "" 11 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x1", "DES-CBC-CRC", TicketEncryptionTypeName) 12 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x3", "DES-CBC-MD5", TicketEncryptionTypeName ) 13 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x11", "AES128-CTS-HMAC-SHA1-96", TicketEncryptionTypeName) 14 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x12", "AES256-CTS-HMAC-SHA1-96", TicketEncryptionTypeName) 15 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x17", "RC4-HMAC", TicketEncryptionTypeName) 16 | | alter TicketEncryptionTypeName = if(TicketEncryptionType CONTAINS "0x18", "RC4-HMAC-EXP", TicketEncryptionTypeName) 17 | | alter TicketOptionsName = "" 18 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x40810010", "Forwardable, Renewable, Canonicalize, Renewable-ok", TicketOptionsName) 19 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x40810000", "Forwardable, Renewable, Canonicalize", TicketOptionsName) 20 | | alter TicketOptionsName = if(TicketOptions CONTAINS "0x60810010", "Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok", TicketOptionsName) 21 | | fields Agent_Hostname, agent_ip_addresses , ServiceName , TargetUsername, IpAddress , TicketEncryptionType, TicketEncryptionTypeName,TicketOptions, TicketOptionsName, action_evtlog_data_fields 22 | | filter (ServiceName = "sqlsvc") 23 | -------------------------------------------------------------------------------- /XQL_Powershell_transcripts: -------------------------------------------------------------------------------- 1 | config case_sensitive = false 2 | | preset = xdr_event_log 3 | | filter agent_hostname ~="mypc" 4 | | filter (action_evtlog_description = "AmsiScanBuffer " and action_evtlog_event_id = 1101) 5 | | alter Content = json_extract(action_evtlog_data_fields, "$.content") 6 | | alter Session = json_extract(action_evtlog_data_fields, "$.session") 7 | | fields Session, Content 8 | -------------------------------------------------------------------------------- /XQL_RPC_LSAT: -------------------------------------------------------------------------------- 1 | dataset = xdr_data 2 | | filter EVENT_TYPE = RPC_CALL 3 | | filter event_rpc_interface_uuid = "{12345778-1234-ABCD-EF00-0123456789AB}" 4 | | alter event_rpc_interface_name = "MSRPC_UUID_LSAT" 5 | | filter actor_remote_ip != null // show only remote connections 6 | | filter action_rpc_func_opnum != 62 // this is a not on the wire Opnum 7 | | alter action_rpc_func_name = "" 8 | | fields agent_hostname, agent_ip_addresses, actor_remote_ip, event_rpc_interface_uuid,event_rpc_interface_name, action_rpc_func_opnum, action_rpc_func_name 9 | | alter action_rpc_func_name = if(action_rpc_func_opnum = 44, "LsarOpenPolicy2", action_rpc_func_name) 10 | | alter action_rpc_func_name = if(action_rpc_func_opnum = 6, "LsarOpenPolicy", action_rpc_func_name) 11 | | alter action_rpc_func_name = if(action_rpc_func_opnum = 45, "LsarGetUserName", action_rpc_func_name) 12 | | alter action_rpc_func_name = if(action_rpc_func_opnum = 77, "LsarLookupNames4", action_rpc_func_name) 13 | | alter action_rpc_func_name = if(action_rpc_func_opnum = 68, "LsarLookupNames3", action_rpc_func_name) 14 | | alter action_rpc_func_name = if(action_rpc_func_opnum = 58, "LsarLookupNames2", action_rpc_func_name) 15 | | alter action_rpc_func_name = if(action_rpc_func_opnum = 14, "LsarLookupNames", action_rpc_func_name) 16 | | alter action_rpc_func_name = if(action_rpc_func_opnum = 76, "LsarLookupSids3", action_rpc_func_name) 17 | | alter action_rpc_func_name = if(action_rpc_func_opnum = 57, "LsarLookupSids2", action_rpc_func_name) 18 | | alter action_rpc_func_name = if(action_rpc_func_opnum = 15, "LsarLookupSids", action_rpc_func_name) 19 | -------------------------------------------------------------------------------- /XQL_Threat_hunt_kerberos_request: -------------------------------------------------------------------------------- 1 | preset = xdr_agent_network 2 | | filter action_remote_port = 88 3 | | filter (actor_process_image_name not in ("lsass.exe", "winlogon.exe", "backgroundTaskHost.exe", "taskhostw.exe", "svchost.exe")) 4 | | fields actor_process_image_name, actor_process_image_path, action_local_ip, action_local_port, action_remote_ip, action_remote_port 5 | 6 | -------------------------------------------------------------------------------- /XQL_driver_hunting: -------------------------------------------------------------------------------- 1 | config case_sensitive = false 2 | | preset = xdr_image_load 3 | | filter action_module_path ~= ".*\.sys$" 4 | | filter event_type = ENUM.LOAD_IMAGE 5 | | filter action_module_path contains "temp" 6 | | filter action_module_path not contains "C:\Windows\System32\" 7 | -------------------------------------------------------------------------------- /XQL_graph_process_by_hour: -------------------------------------------------------------------------------- 1 | dataset = xdr_data 2 | | filter agent_hostname = "MYPC" 3 | | filter event_type = ENUM.PROCESS 4 | | alter myhour = extract_time(_time , "HOUR") 5 | | alter myday = extract_time(_time , "DAY") 6 | | alter mymonth = extract_time(_time , "MONTH") 7 | | alter myyear = extract_time(_time , "YEAR") 8 | | alter when = concat(to_string(myyear), ".", to_string(mymonth) , "." , to_string(myday) , " " , to_string(myhour) , "h") 9 | | comp count(event_id) as total by when 10 | | sort asc when 11 | | view graph type = line xaxis = when yaxis = total 12 | -------------------------------------------------------------------------------- /convert_to_md.py: -------------------------------------------------------------------------------- 1 | #-*- coding: utf-8 -*- 2 | import sys 3 | import json 4 | import os 5 | 6 | markdown = "" 7 | tab = " " 8 | list_tag = '* ' 9 | htag = '#' 10 | depth = 1 11 | 12 | def loadJSON(file): 13 | with open(file, 'r') as f: 14 | data = f.read() 15 | return json.loads(data) 16 | 17 | 18 | def parseJSON(json_block, depth): 19 | if isinstance(json_block, dict): 20 | parseDict(json_block, depth) 21 | if isinstance(json_block, list): 22 | parseList(json_block, depth) 23 | 24 | 25 | def parseDict(d, depth): 26 | for k in d: 27 | if isinstance(d[k], (dict, list)): 28 | addHeader(k, depth) 29 | parseJSON(d[k], depth + 1) 30 | else: 31 | addValue(k, d[k], depth) 32 | 33 | 34 | def parseList(l, depth): 35 | for value in l: 36 | if not isinstance(value, (dict, list)): 37 | index = l.index(value) 38 | addValue(index, value, depth) 39 | else: 40 | parseDict(value, depth) 41 | 42 | def buildHeaderChain(depth): 43 | chain = list_tag * (bool(depth)) + htag * (depth + 1) + \ 44 | ' value ' + (htag * (depth + 1) + '\n') 45 | return chain 46 | 47 | def buildValueChain(key, value, depth): 48 | chain = tab * (bool(depth - 1)) + list_tag + \ 49 | str(key) + ": " + str(value) + "\n" 50 | return chain 51 | 52 | def addHeader(value, depth): 53 | chain = buildHeaderChain(depth) 54 | global markdown 55 | markdown += chain.replace('value', value.title()) 56 | 57 | def addValue(key, value, depth): 58 | chain = buildValueChain(key, value, depth) 59 | global markdown 60 | markdown += chain 61 | 62 | 63 | def writeOut(markdown, output_file): 64 | with open(output_file, 'w+') as f: 65 | f.write(markdown) 66 | 67 | 68 | 69 | def convert_bioc_to_md(file_path): 70 | global markdown 71 | markdown='' 72 | # Read the content of the .bioc file 73 | with open(file_path, 'r') as bioc_file: 74 | # Skip the first line 75 | bioc_file.readline() 76 | 77 | # Read the second line (JSON content) 78 | json_content = json.loads(bioc_file.readline().strip()[1:-1]) 79 | parseJSON(json_content, depth) 80 | markdown = markdown.replace('#######', '######') 81 | # Convert JSON to pretty markup language (Markdown) 82 | #md_header = "## " + file_path + "\n\n" 83 | #md_content = markdown.markdown(json.dumps(json.loads(json_content), indent=4)) 84 | 85 | # Create the new file name with .md extension 86 | md_file_path = os.path.splitext(file_path)[0] + '.md' 87 | 88 | # Write the Markdown content to the new file 89 | with open(md_file_path, 'w') as md_file: 90 | #md_file.write(md_header) 91 | md_file.write(markdown) 92 | print("[+] " + file_path + " = done") 93 | 94 | def process_bioc_files(folder_path='.'): 95 | # Get a list of all files in the current folder with the .bioc extension 96 | bioc_files = [f for f in os.listdir(folder_path) if f.endswith('.bioc')] 97 | 98 | # Loop through each .bioc file and convert to .md 99 | for bioc_file in bioc_files: 100 | bioc_file_path = os.path.join(folder_path, bioc_file) 101 | convert_bioc_to_md(bioc_file_path) 102 | 103 | if __name__ == "__main__": 104 | # Provide the path to the folder containing .bioc files 105 | folder_path = '.' # Change this to your desired folder path 106 | process_bioc_files(folder_path) 107 | -------------------------------------------------------------------------------- /images/README.md: -------------------------------------------------------------------------------- 1 | folder containing the images 2 | -------------------------------------------------------------------------------- /images/xdr_loldriver_api_role.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/630ea1a6ff43126e4dc54b9c1ee31fae59d7759c/images/xdr_loldriver_api_role.png -------------------------------------------------------------------------------- /images/xdr_malware_profile.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/630ea1a6ff43126e4dc54b9c1ee31fae59d7759c/images/xdr_malware_profile.PNG -------------------------------------------------------------------------------- /xdr_log4j.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import os 4 | import zipfile 5 | import io 6 | import argparse 7 | import shutil 8 | 9 | foundvulnerable = False 10 | global_filenames = '' 11 | 12 | 13 | # all credits for the original from https://github.com/CERTCC/CVE-2021-44228_scanner 14 | # Install instructions : 15 | # 16 | # This script can be enabled for Mac, Windows and Linux platform 17 | # 18 | # Set Timeout to at least 2400 sec 19 | # input set : Run by entry point -> run 20 | # output : Auto Detect 21 | 22 | def process_jarfile_content(zf, filetree): 23 | ''' 24 | 25 | Recursively look in zf for the class of interest or more jar files 26 | Print the hits 27 | zf is a zipfile.ZipFile object 28 | ''' 29 | global global_filenames 30 | ispatched = False 31 | hasjndi = False 32 | global foundvulnerable 33 | for f in zf.namelist(): 34 | if os.path.basename(f) == 'JndiLookup.class': 35 | # found one, print it 36 | filetree_str = ' contains '.join(filetree) 37 | hasjndi = True 38 | jndilookupbytes = zf.read(f) 39 | if b'JNDI is not supported' in jndilookupbytes: 40 | # 2.12.2 is patched 41 | # https://github.com/apache/logging-log4j2/commit/70edc233343815d5efa043b54294a6fb065aa1c5#diff-4fde33b59714d0691a648fb2752ea1892502a815bdb40e83d3d6873abd163cdeR37 42 | ispatched = True 43 | elif os.path.basename(f) == 'MessagePatternConverter.class': 44 | mpcbytes = zf.read(f) 45 | if b'Message Lookups are no longer supported' in mpcbytes: 46 | # 2.16 is patched 47 | # https://github.com/apache/logging-log4j2/commit/27972043b76c9645476f561c5adc483dec6d3f5d#diff-22ae074d2f9606392a3e3710b34967731a6ad3bc4012b42e0d362c9f87e0d65bR97 48 | ispatched = True 49 | elif os.path.basename(f).lower().endswith(".jar") or os.path.basename(f).lower().endswith(".war") or os.path.basename(f).lower().endswith(".ear") or os.path.basename(f).lower().endswith(".zip"): 50 | # keep diving 51 | try: 52 | new_zf = zipfile.ZipFile(io.BytesIO(zf.read(f))) 53 | except: 54 | continue 55 | new_ft = list(filetree) 56 | new_ft.append(f) 57 | process_jarfile_content(new_zf, new_ft) 58 | if hasjndi and ispatched: 59 | print(filetree_str,'contains "JndiLookup.class" ** BUT APPEARS TO BE PATCHED **') 60 | elif hasjndi: 61 | foundvulnerable = True 62 | print("WARNING: ", filetree_str,'contains "JndiLookup.class"') 63 | global_filenames+=filetree_str + "\n" 64 | 65 | def do_jarfile_from_disk(fpath): 66 | try: 67 | zf = zipfile.ZipFile(fpath) 68 | except: 69 | return 70 | process_jarfile_content(zf, filetree=[fpath,]) 71 | 72 | 73 | def main(topdir): 74 | global global_filenames 75 | 76 | output="" 77 | for root, dirs, files in os.walk(topdir, topdown=True): 78 | dirs[:] = filter(lambda dir: not os.path.ismount(os.path.join(root, dir)), dirs) 79 | for name in files: 80 | if not (name.lower().endswith('.jar') or name.lower().endswith('.war') or name.lower().endswith('.ear') or name.lower().endswith('.zip') or name.endswith('JndiLookup.class')): 81 | # skip non-jars 82 | continue 83 | if (os.path.basename(name) == "JndiLookup.class"): 84 | print("WARNING: %s *IS* JndiLookup.class" % os.path.join(root,name)) 85 | global_filenames += os.path.join(root,name) + "\n" 86 | 87 | else: 88 | jarpath = os.path.join(root, name) 89 | do_jarfile_from_disk(jarpath) 90 | if not foundvulnerable: 91 | print("No vulnerable components found") 92 | return False 93 | else: 94 | return True 95 | 96 | def run(): 97 | global global_filenames 98 | 99 | all_tests=False 100 | 101 | if os.name =='nt': 102 | available_drives = ['%s:' % d for d in 'ABCDEFGHIJ' if os.path.exists('%s:' % d)] 103 | for drive in available_drives: 104 | drive=drive+"\\" 105 | print("Let's scan : " + drive) 106 | total, used, free = shutil.disk_usage(drive) 107 | print("Used: %d GiB" % (used // (2 ** 30))) 108 | if (main(drive)): 109 | all_tests=True 110 | elif os.name=='posix': 111 | drive="/" 112 | print("Let's scan : " + drive) 113 | total, used, free = shutil.disk_usage(drive) 114 | print("Used: %d GiB" % (used // (2 ** 30))) 115 | if (main(drive)): 116 | all_tests=True 117 | else: 118 | print("Error os.name returned :" + str(os.name)) 119 | 120 | if (all_tests): 121 | return{'vulnerable': True, 'filenames': global_filenames} 122 | else: 123 | return{'vulnerable': False, 'filenames': ''} 124 | 125 | -------------------------------------------------------------------------------- /xdr_loldriver_api_role.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k4nfr3/XDR_scripts/630ea1a6ff43126e4dc54b9c1ee31fae59d7759c/xdr_loldriver_api_role.png --------------------------------------------------------------------------------