diff --git a/rules/credential_access_registry_access_to_sam_database.yml b/rules/credential_access_registry_access_to_sam_database.yml index 576c1b881..80b76fff4 100644 --- a/rules/credential_access_registry_access_to_sam_database.yml +++ b/rules/credential_access_registry_access_to_sam_database.yml @@ -1,6 +1,6 @@ name: Registry access to SAM database id: 2f326557-0291-4eb1-a87a-7a17b7d941cb -version: 2.0.0 +version: 2.0.1 description: Identifies access to the Security Account Manager registry hives. labels: @@ -26,10 +26,9 @@ condition: > '?:\\Program Files\\*.exe', '?:\\Program Files (x86)\\*.exe', '?:\\Windows\\System32\\svchost.exe' - ) or - (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior') or - (ps.exe imatches '?:\\WINDOWS\\system32\\wevtutil.exe' and ps.parent.exe imatches '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe') - ) + )) and + not (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior') and + not (ps.exe imatches '?:\\WINDOWS\\system32\\wevtutil.exe' and ps.parent.exe imatches '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe') | |open_registry and registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*' and diff --git a/rules/credential_access_suspicious_vault_client_dll_load.yml b/rules/credential_access_suspicious_vault_client_dll_load.yml index 856bddb28..8adc79043 100644 --- a/rules/credential_access_suspicious_vault_client_dll_load.yml +++ b/rules/credential_access_suspicious_vault_client_dll_load.yml @@ -1,6 +1,6 @@ name: Suspicious Vault client DLL load id: 64af2e2e-2309-4079-9c0f-985f1dd930f5 -version: 1.0.6 +version: 1.0.7 description: | Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided by the Credential Vault Client Library to enumerate or harvest saved credentials. @@ -25,38 +25,37 @@ condition: > |spawn_process and ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and ps.exe != '' and not (ps.exe imatches - ( - '?:\\Windows\\System32\\MDMAppInstaller.exe', - '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe', - '?:\\Windows\\uus\\*\\WaaSMedicAgent.exe', - '?:\\Windows\\System32\\UCConfigTask.exe', - '?:\\Windows\\System32\\DllHost.exe', - '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe', - '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe', - '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe', - '?:\\Windows\\winsxs\\*\\TiWorker.exe', - '?:\\Windows\\System32\\RuntimeBroker.exe', - '?:\\WINDOWS\\system32\\UCConfigTask.exe', - '?:\\Program Files\\WindowsApps\\Microsoft.*.exe', - '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe', - '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe', - '?:\\Windows\\SystemApps\\MicrosoftWindows.Client.*\\SearchHost.exe', - '?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe', - '?:\\Windows\\System32\\PickerHost.exe', - '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\SearchHost.exe', - '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\AppActions.exe', - '?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe', - '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe', - '?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe', - '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe', - '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe' - ) or - (ps.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.parent.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) or - (ps.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.args imatches ('-ServerName:*')) or - (ps.parent.exe imatches '?:\\Windows\\System32\\services.exe') or - (ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe') - ) + ( + '?:\\Windows\\System32\\MDMAppInstaller.exe', + '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe', + '?:\\Windows\\uus\\*\\WaaSMedicAgent.exe', + '?:\\Windows\\System32\\UCConfigTask.exe', + '?:\\Windows\\System32\\DllHost.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe', + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe', + '?:\\Windows\\winsxs\\*\\TiWorker.exe', + '?:\\Windows\\System32\\RuntimeBroker.exe', + '?:\\WINDOWS\\system32\\UCConfigTask.exe', + '?:\\Program Files\\WindowsApps\\Microsoft.*.exe', + '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe', + '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe', + '?:\\Windows\\SystemApps\\MicrosoftWindows.Client.*\\SearchHost.exe', + '?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe', + '?:\\Windows\\System32\\PickerHost.exe', + '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\SearchHost.exe', + '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\AppActions.exe', + '?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe', + '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe', + '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe' + )) and + not (ps.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.parent.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) and + not (ps.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.args imatches ('-ServerName:*')) and + not (ps.parent.exe imatches '?:\\Windows\\System32\\services.exe') and + not (ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe') | |load_dll and dll.name ~= 'vaultcli.dll'| diff --git a/rules/defense_evasion_potential_shellcode_execution_via_etw_logger_thread.yml b/rules/defense_evasion_potential_shellcode_execution_via_etw_logger_thread.yml index e5377afb6..663c82f75 100644 --- a/rules/defense_evasion_potential_shellcode_execution_via_etw_logger_thread.yml +++ b/rules/defense_evasion_potential_shellcode_execution_via_etw_logger_thread.yml @@ -1,6 +1,6 @@ name: Potential shellcode execution via ETW logger thread id: 3e915273-5ea0-4576-afc9-b018e2d53545 -version: 1.0.2 +version: 1.0.3 description: | Adversaries may employ the undocumented EtwpCreateEtwThread function to execute shellcode within the local process address space. @@ -22,8 +22,8 @@ condition: > ( '?:\\WINDOWS\\System32\\ProvTool.exe', '?:\\Windows\\System32\\LogonUI.exe' - ) or - thread.callstack.symbols imatches ('ntdll.dll!EtwProcessPrivateLoggerRequest', 'sechost.dll!ControlTrace*')) + )) and + not (thread.callstack.symbols imatches ('ntdll.dll!EtwProcessPrivateLoggerRequest', 'sechost.dll!ControlTrace*')) output: > Potential shellcode execution via EtwpCreateEtwThread API initiated by process %ps.exe diff --git a/rules/defense_evasion_process_spawned_from_unusual_directory.yml b/rules/defense_evasion_process_spawned_from_unusual_directory.yml index 344166977..fbbd248cc 100644 --- a/rules/defense_evasion_process_spawned_from_unusual_directory.yml +++ b/rules/defense_evasion_process_spawned_from_unusual_directory.yml @@ -1,6 +1,6 @@ name: Process spawned from unusual directory id: eb51aad3-f2ce-4f5a-b8f1-4cfb8d0d141e -version: 1.0.0 +version: 1.0.1 description: | Detects executions of common utilities or build tools when those binaries are launched from suspicious default Windows directories. Attackers often @@ -96,13 +96,10 @@ condition: > '?:\\Windows\\SKB\\*', '?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*' ) and - not - ( - (ps.name = 'rundll32.exe' and ps.parent.name = 'svchost.exe' and ps.parent.args iin ('LocalServiceNoNetworkFirewall')) or - (ps.name = 'regsvr32.exe' and ps.args imatches ('?:\\Windows\\servicing\\LCU\\Package_for_RollupFix~*')) or - (ps.parent.exe imatches '?:\\Windows\\system32\\CompatTelRunner.exe' and ps.parent.args imatches ('*-m:appraiser.dll')) or - (ps.exe imatches ('?:\\Program Files\\*\\msbuild.exe', '?:\\Program Files (x86)\\*\\msbuild.exe')) - ) + not (ps.name = 'rundll32.exe' and ps.parent.name = 'svchost.exe' and ps.parent.args iin ('LocalServiceNoNetworkFirewall')) and + not (ps.name = 'regsvr32.exe' and ps.args imatches ('?:\\Windows\\servicing\\LCU\\Package_for_RollupFix~*')) and + not (ps.parent.exe imatches '?:\\Windows\\system32\\CompatTelRunner.exe' and ps.parent.args imatches ('*-m:appraiser.dll')) and + not (ps.exe imatches ('?:\\Program Files\\*\\msbuild.exe', '?:\\Program Files (x86)\\*\\msbuild.exe')) action: - name: kill diff --git a/rules/defense_evasion_suspicious_child_spawned_via_reflected_process.yml b/rules/defense_evasion_suspicious_child_spawned_via_reflected_process.yml index 548aba1f9..733ab3e31 100644 --- a/rules/defense_evasion_suspicious_child_spawned_via_reflected_process.yml +++ b/rules/defense_evasion_suspicious_child_spawned_via_reflected_process.yml @@ -1,6 +1,6 @@ name: Suspicious child spawned via reflected process id: 0c71dd48-d238-41bb-9c7e-9ba804e888de -version: 1.0.0 +version: 1.0.1 description: | Identifies the creation of a child via the clone process by employing the RtlCreateProcessReflection or RtlCloneUserProcess API. @@ -22,12 +22,9 @@ condition: > maxspan 5m |spawn_process and thread.callstack.symbols imatches ('ntdll.dll!RtlCreateProcessReflection', 'ntdll.dll!RtlCloneUserProcess') and - not - ( - (ps.exe imatches ('?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\SysWOW64\\WerFault.exe') and thread.callstack.summary imatches '*faultrep.dll|wersvc.dll*') or - (ps.exe imatches ('?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\SysWOW64\\WerFault.exe') and thread.callstack.summary imatches '*faultrep.dll*') or - (ps.exe imatches '?:\\Windows\\System32\\conhost.exe' and thread.callstack.symbols imatches ('ntdll.dll!*DeviceIoControlFile*')) - ) + not (ps.exe imatches ('?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\SysWOW64\\WerFault.exe') and thread.callstack.summary imatches '*faultrep.dll|wersvc.dll*') and + not (ps.exe imatches ('?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\SysWOW64\\WerFault.exe') and thread.callstack.summary imatches '*faultrep.dll*') and + not (ps.exe imatches '?:\\Windows\\System32\\conhost.exe' and thread.callstack.symbols imatches ('ntdll.dll!*DeviceIoControlFile*')) | by ps.uuid |spawn_process and ps.exe not imatches diff --git a/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml b/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml index fb0268d57..f37b4522d 100644 --- a/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml +++ b/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml @@ -1,6 +1,6 @@ name: Thread context set from unbacked memory id: f8219274-ee68-416b-8489-4d2e635c7844 -version: 1.0.6 +version: 1.0.7 description: | Identifies manipulation of the thread context from unbacked memory region. This may be indicative of process injection. @@ -22,6 +22,6 @@ condition: > '?:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe', '?:\\Windows\\System32\\taskhostw.exe' ) and - (ps.exe not imatches '?:\\Program Files\\Go\\bin\\go.exe' and ps.cmdline not imatches 'go mod tidy -modfile=*.mod') + not (ps.exe imatches '?:\\Program Files\\Go\\bin\\go.exe' and ps.cmdline imatches 'go mod tidy -modfile=*.mod') min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml index 7af4c6241..0b298a72b 100644 --- a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml +++ b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml @@ -1,6 +1,6 @@ name: Unsigned DLL injection via remote thread id: 21bdd944-3bda-464b-9a72-58fd37ba9163 -version: 1.1.5 +version: 1.1.6 description: | Identifies unsigned DLL injection via remote thread creation. Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses @@ -28,9 +28,9 @@ condition: > ( '?:\\Program Files\\*.exe', '?:\\Program Files (x86)\\*.exe' - ) or - (ps.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.args intersects ('-k', 'DcomLaunch')) or - (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior')) + )) and + not (ps.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.args intersects ('-k', 'DcomLaunch')) and + not (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior') | by thread.pid |(load_unsigned_or_untrusted_dll) and dll.path not imatches diff --git a/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml b/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml index 50946dbd1..acf89320a 100644 --- a/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml +++ b/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml @@ -1,6 +1,6 @@ name: Script interpreter host or untrusted process persistence id: cc41ee3a-6e44-4903-85a4-0147ec6a7eea -version: 1.1.3 +version: 1.1.4 description: | Identifies the script interpreter or untrusted process writing to commonly abused run keys or the Startup folder locations. @@ -34,8 +34,8 @@ condition: > '?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe', '?:\\Program Files\\Google\\Drive File Stream\\*\\GoogleDriveFS.exe', '?:\\Users\\*\\AppData\\Local\\Dropbox\\Dropbox.exe' - ) or - (ps.signature.exists = true and ps.signature.subject imatches '*Microsoft*')) + )) and + not (ps.signature.exists = true and ps.signature.subject imatches '*Microsoft*') action: - name: kill diff --git a/rules/persistence_suspicious_startup_shell_folder_modification.yml b/rules/persistence_suspicious_startup_shell_folder_modification.yml index d98e6c5ee..eb7ec0820 100644 --- a/rules/persistence_suspicious_startup_shell_folder_modification.yml +++ b/rules/persistence_suspicious_startup_shell_folder_modification.yml @@ -1,6 +1,6 @@ name: Suspicious Startup shell folder modification id: 7a4082f6-f7e3-49bd-9514-dbc8dd4e68ad -version: 1.0.4 +version: 1.0.5 description: | Detects when adversaries attempt to modify the default Startup folder path to to circumvent runtime rules that hunt for file @@ -19,7 +19,7 @@ labels: condition: > modify_registry and registry.path imatches startup_shell_folder_registry_keys and - not (registry.data imatches startup_locations or - registry.data imatches ('%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup')) + registry.data not imatches startup_locations and + registry.data not imatches ('%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup') min-engine-version: 3.0.0