diff --git a/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml b/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml new file mode 100644 index 00000000000..58206c36b95 --- /dev/null +++ b/rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml @@ -0,0 +1,32 @@ +title: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection +id: eafb8bd5-7605-4bfe-a9ec-0442bc151f15 +status: experimental +description: | + Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. + It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character. +references: + - https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py + - https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2024/03/20 +tags: + - attack.initial_access + - cve.2024.1212 +logsource: + category: webserver +detection: + selection_path: + cs-method: 'GET' + cs-uri-stem|contains|all: + - '/access/set' + - 'param=enableapi' + - 'value=1' + selection_keywords: + - 'Basic Jz' + - 'Basic c7' + - 'Basic nO' + - "Basic ';" + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml similarity index 66% rename from rules/windows/process_creation/proc_creation_win_cmd_redirect.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml index db197e0b06f..aa6c72620f7 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml @@ -4,15 +4,18 @@ related: - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 type: similar status: test -description: Detects the use of the redirection character ">" to redicrect information in commandline +description: | + Detects the use of the redirection character ">" to redirect information on the command line. + This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. references: - https://ss64.com/nt/syntax-redirection.html author: frack113 date: 2022/01/22 -modified: 2023/03/07 +modified: 2024/03/19 tags: - attack.discovery - attack.t1082 + - detection.threat_hunting logsource: category: process_creation product: windows @@ -22,12 +25,12 @@ detection: - Image|endswith: '\cmd.exe' selection_cli: CommandLine|contains: '>' - filter_idm_extension: + filter_optional_idm_extension: CommandLine|contains: - 'C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe' - 'chrome-extension://' - '\\.\pipe\chrome.nativeMessaging' - condition: all of selection_* and not 1 of filter_* + condition: all of selection_* and not 1 of filter_optional_* falsepositives: - Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment level: low diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 02eedbdff08..69659801c5e 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -1,12 +1,15 @@ title: EVTX Created In Uncommon Location id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb status: experimental -description: Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls +description: | + Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. + This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. + Note that backup software and legitimate administrator might perform similar actions during troubleshooting. references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key author: D3F7A5105 date: 2023/01/02 -modified: 2023/07/13 +modified: 2024/03/26 tags: - attack.defense_evasion - attack.t1562.002 @@ -18,15 +21,12 @@ detection: selection: TargetFilename|endswith: '.evtx' filter_main_path: - TargetFilename|contains: ':\Windows\System32\winevt\Logs\' + TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\' filter_main_baseimage: - TargetFilename|contains: ':\ProgramData\Microsoft\Windows\Containers\BaseImages\' + TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\' TargetFilename|endswith: '\Windows\System32\winevt\Logs\' - filter_main_generic_img: - Image|endswith: - - ':\Windows\explorer.exe' - - ':\Windows\system32\dllhost.exe' condition: selection and not 1 of filter_main_* falsepositives: - Administrator or backup activity -level: high + - An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "_.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files +level: medium diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index a425bd0fd24..713aa6165e3 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -3,11 +3,12 @@ id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d status: test description: | Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). + It is highly recommended to perform an initial baseline before using this rule in production. references: - Internal Research author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2020/05/26 -modified: 2023/11/10 +modified: 2024/03/18 tags: - attack.defense_evasion - attack.t1036.005 @@ -89,48 +90,38 @@ detection: - '\WSReset.exe' - '\WUDFHost.exe' - '\WWAHost.exe' - filter_main_dism_tiworker: + filter_main_generic: + # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives. TargetFilename|contains: - - ':\Windows\SoftwareDistribution\' - - ':\Windows\System32\' - - ':\Windows\SysWOW64\' - - ':\Windows\WinSxS\' - '\SystemRoot\System32\' - Image|endswith: - - '\Windows\System32\dism.exe' - - '\TiWorker.exe' - filter_main_setuphost: - TargetFilename|contains: ':\$WINDOWS.~BT\' - Image|endswith: ':\$WINDOWS.~BT\Sources\SetupHost.exe' - filter_main_wbengine: - TargetFilename|endswith: '\RuntimeBroker.exe' - Image|endswith: ':\Windows\system32\wbengine.exe' + - 'C:\$WINDOWS.~BT\' + - 'C:\$WinREAgent\' + - 'C:\Windows\SoftwareDistribution\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + - 'C:\Windows\uus\' filter_main_svchost: - Image|endswith: ':\Windows\system32\svchost.exe' - TargetFilename|contains: - - ':\Windows\SoftwareDistribution\Download\' - - ':\Program Files\WindowsApps\' + Image|endswith: 'C:\Windows\system32\svchost.exe' + TargetFilename|contains: 'C:\Program Files\WindowsApps\' filter_main_wuauclt: - Image|endswith: ':\Windows\System32\wuauclt.exe' + Image|endswith: 'C:\Windows\System32\wuauclt.exe' filter_main_explorer: - TargetFilename|endswith: ':\Windows\explorer.exe' + TargetFilename|endswith: 'C:\Windows\explorer.exe' filter_main_msiexec: # This filter handles system processes who are updated/installed using misexec. - Image|endswith: ':\WINDOWS\system32\msiexec.exe' + Image|endswith: 'C:\WINDOWS\system32\msiexec.exe' # Add more processes if you find them or simply filter msiexec on its own. If the list grows big TargetFilename|endswith: - - ':\Program Files\PowerShell\7\pwsh.exe' - - ':\Program Files\PowerShell\7-preview\pwsh.exe' + - 'C:\Program Files\PowerShell\7\pwsh.exe' + - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' filter_main_healtray: - TargetFilename|contains: ':\Windows\System32\SecurityHealth\' + TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\' TargetFilename|endswith: '\SecurityHealthSystray.exe' Image|endswith: '\SecurityHealthSetup.exe' - filter_main_wuaucltcore: - Image|contains: ':\Windows\uus\' - Image|endswith: '\wuaucltcore.exe' - TargetFilename|contains: ':\$WinREAgent\' condition: selection and not 1 of filter_main_* falsepositives: - System processes copied outside their default folders for testing purposes - Third party software naming their software with the same names as the processes mentioned here -level: high +# Note: Upgrade to high after an initial baseline to your environement. +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index 6a92f17b4ab..0f15e3a0b4d 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -1,4 +1,4 @@ -title: Suspicious CMD Shell Output Redirect +title: Potentially Suspicious CMD Shell Output Redirect id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 related: - id: aa2efee7-34dd-446e-8a37-40790a66efd7 @@ -6,12 +6,14 @@ related: - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a type: similar status: experimental -description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location +description: | + Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. + This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/12 -modified: 2023/05/15 +modified: 2024/03/19 tags: - attack.defense_evasion - attack.t1218 @@ -24,24 +26,18 @@ detection: - OriginalFileName: 'Cmd.Exe' selection_cli_1: CommandLine|contains: - # Add more suspicious locations as you find them - # The space from the start is missing to cover append operations ">>" - - '> \Users\Public\' - - '> %APPDATA%\' - - '> %TEMP%\' - - '> %TMP%\' - - '> %USERPROFILE%\' - - '> C:\Temp\' - - '> C:\Users\Public\' - - '> C:\Windows\Temp\' - - '>\Users\Public\' - - '>%APPDATA%\' - - '>%TEMP%\' - - '>%TMP%\' - - '>%USERPROFILE%\' - - '>C:\Temp\' - - '>C:\Users\Public\' - - '>C:\Windows\Temp\' + # Note: Add more suspicious locations as you find them + # Note: The space from the start is missing to cover append operations ">>" + # Note: We use the "?" to account for both a single and a double quote + # Note: If you want to account for more spaces which is still a valid bypass option. Use a regex with "\s" + - '>?%APPDATA%\' + - '>?%TEMP%\' + - '>?%TMP%\' + - '>?%USERPROFILE%\' + - '>?C:\ProgramData\' + - '>?C:\Temp\' + - '>?C:\Users\Public\' + - '>?C:\Windows\Temp\' selection_cli_2: CommandLine|contains: - ' >' diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml index b377ab6fccb..d4775a8d0e3 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml @@ -9,6 +9,7 @@ references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/02 +modified: 2024/03/19 tags: - attack.defense_evasion - attack.t1562.001 @@ -17,7 +18,7 @@ logsource: product: windows detection: selection_img: - - Image|endswith: 'reg.exe' + - Image|endswith: '\reg.exe' - OriginalFileName: 'reg.exe' selection_safeboot: CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot' diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml index 34371191361..9f6d002f55e 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml @@ -8,7 +8,7 @@ references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf author: Florian Roth (Nextron Systems) date: 2022/02/23 -modified: 2023/12/21 +modified: 2024/03/19 tags: - attack.execution - attack.t1053.005 @@ -47,6 +47,10 @@ detection: - 'mshta.exe http' selection_anomaly_1: CommandLine|contains: + - ':\ProgramData\' + - ':\Temp\' + - ':\Tmp\' + - ':\Users\Public\' - ':\Windows\Temp\' - '\AppData\' - '%AppData%' diff --git a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml index 180b03de3c2..bdf47246396 100644 --- a/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml @@ -1,4 +1,4 @@ -title: Office Macros Auto-Enabled +title: Office Macros Warning Disabled id: 91239011-fe3c-4b54-9f24-15c86bb65913 related: - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd @@ -11,7 +11,7 @@ references: - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) date: 2020/05/22 -modified: 2023/08/17 +modified: 2024/03/19 tags: - attack.defense_evasion - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml b/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml new file mode 100644 index 00000000000..af6864318e7 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml @@ -0,0 +1,27 @@ +title: MaxMpxCt Registry Value Changed +id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e +status: experimental +description: | + Detects changes to the "MaxMpxCt" registry value. + MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. + Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic. +references: + - https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps + - https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware + - https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1 + - https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2024/03/19 +tags: + - attack.defense_evasion + - attack.t1070.005 +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|endswith: '\Services\LanmanServer\Parameters\MaxMpxCt' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index e3db6238361..15ec0331651 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -6,7 +6,7 @@ references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing date: 2018/08/25 -modified: 2023/12/11 +modified: 2024/03/18 tags: - attack.persistence - attack.t1547.001 @@ -33,9 +33,12 @@ detection: - '%Public%\' - 'wscript' - 'cscript' - condition: all of selection_* -fields: - - Image + filter_main_windows_update: + Image|startswith: 'C:\Windows\SoftwareDistribution\Download\' + Details|contains|all: + - 'rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32' + - 'C:\Windows\Temp\' + condition: all of selection_* and not 1 of filter_main_* falsepositives: - Software using weird folders for updates level: high