diff --git a/queries/windows/account_access_removal.yml b/queries/windows/account_access_removal.yml index 613e81f..234c0e5 100644 --- a/queries/windows/account_access_removal.yml +++ b/queries/windows/account_access_removal.yml @@ -1,18 +1,17 @@ title: Account Access Removal description: Detects the deletion of a local user account or removal of Active Directory - groups through powershell cmdlets. No detection for account password resets for - purpose of impact due to false detections. + groups through powershell cmdlets. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Impact technique: T1531 - subtechnique: null + subtechnique: operating_system: windows query: SrcProcCmdline RegExp "net\s+user(?:(?!\s+/delete)(?:.|\n))*\s+/delete" OR TgtProcCmdLine ContainsCIS "Remove-ADGroupMember" OR SrcProcCmdScript ContainsCIS "Remove-ADGroupMember" -false_positives: null -tags: null - +false_positives: +tags: +references: diff --git a/queries/windows/account_manipulation.yml b/queries/windows/account_manipulation.yml index 3a7a466..de43471 100644 --- a/queries/windows/account_manipulation.yml +++ b/queries/windows/account_manipulation.yml @@ -1,22 +1,20 @@ title: Account Manipulation -description: Both Atomic tests for account manipulation rely on PowerShell AD module, - so we can catch both with one query. We have the query encapsulated so that we can - filter it at the end by Parent Process, as some Logon Scripts and Configuration - Items (SCOM, SCCM) may also cause noise. You may want to additionally filter out - certain SrcProcUser to reduce noise. What cannot be helped, CommandScript detection - on import of Powershell AD cmdlets. +description: Detect account manipulation with the PowerShell AD module, filtered by Parent Process, as some Logon Scripts and Configuration Items (SCOM, SCCM) may also cause noise. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Persistence technique: T1098 - subtechnique: null + subtechnique: operating_system: windows query: ( SrcProcCmdLine In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser") OR SrcProcCmdScript In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser") OR SrcProcCmdLine RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" OR SrcProcCmdScript RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" ) AND SrcProcParentName Not In ("WmiPrvSE.exe","AppVClient.exe","svchost.exe","CompatTelRunner.exe") -false_positives: null -tags: null +false_positives: + - logon scripts + - Configuration Manager CI/BL Items +tags: +references: diff --git a/queries/windows/allow_executable_through_defender_firewall.yml b/queries/windows/allow_executable_through_defender_firewall.yml index 3cb831a..55fa4f3 100644 --- a/queries/windows/allow_executable_through_defender_firewall.yml +++ b/queries/windows/allow_executable_through_defender_firewall.yml @@ -1,8 +1,8 @@ title: Allow Executable Through Defender Firewall author: keyboardcrunch -description: Detect allowance of executables through Defender Firewall. +description: Detect allowance of executables within Users or Temp folders through Defender Firewall. date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion technique: T1562 @@ -10,6 +10,7 @@ mitre: operating_system: windows query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine ContainsCIS "program=" AND TgtProcCmdLine In Contains Anycase ("C:\Users","C:\Windows\Temp") -false_positives: null -tags: null +false_positives: +tags: +references: diff --git a/queries/windows/allow_smb_and_rdp_on_defender_firewall.yml b/queries/windows/allow_smb_and_rdp_on_defender_firewall.yml index 45d6c7d..cee55d1 100644 --- a/queries/windows/allow_smb_and_rdp_on_defender_firewall.yml +++ b/queries/windows/allow_smb_and_rdp_on_defender_firewall.yml @@ -2,7 +2,7 @@ title: Allow SMB and RDP on Defender Firewall description: Detects addition of Defender firewall rules for SMB and RDP. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: mitre: tactic: Defense Evasion technique: T1562 @@ -11,6 +11,6 @@ operating_system: windows query: (TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "remote desktop" AND TgtProcCmdLine ContainsCIS "enable=Yes") OR (TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "file and printer sharing" AND TgtProcCmdLine ContainsCIS "enable=Yes") -false_positives: null -tags: null - +false_positives: +tags: +references: diff --git a/queries/windows/amsi_bypass_initfailed.yml b/queries/windows/amsi_bypass_initfailed.yml index a439f60..f52b0ba 100644 --- a/queries/windows/amsi_bypass_initfailed.yml +++ b/queries/windows/amsi_bypass_initfailed.yml @@ -2,7 +2,7 @@ title: AMSI Bypass Through InitFailed description: Detects AMSI bypass through InitFailed. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: mitre: tactic: Defense Evasion technique: T1562 @@ -10,6 +10,6 @@ mitre: operating_system: windows query: TgtProcCmdLine ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" OR SrcProcCmdScript ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" -false_positives: null -tags: null - +false_positives: +tags: +references: diff --git a/queries/windows/assoc_default_file_change.yml b/queries/windows/assoc_default_file_change.yml index ac5b3af..cf18baa 100644 --- a/queries/windows/assoc_default_file_change.yml +++ b/queries/windows/assoc_default_file_change.yml @@ -2,15 +2,13 @@ title: Assoc Default File Change description: Detection of file association change through assoc command. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Privilege Escalation technique: T1546 subtechnique: 008 operating_system: windows -query: '--- File assoc change by assoc command - - TgtProcCmdLine ContainsCIS "assoc" and TgtProcCmdLine RegExp ".*=.*"' +query: 'TgtProcCmdLine ContainsCIS "assoc" and TgtProcCmdLine RegExp ".*=.*"' false_positives: null tags: null diff --git a/queries/windows/windows_command_shell.yml b/queries/windows/batchfile_execution_from_temp.yml similarity index 92% rename from queries/windows/windows_command_shell.yml rename to queries/windows/batchfile_execution_from_temp.yml index 344f1af..8b7340a 100644 --- a/queries/windows/windows_command_shell.yml +++ b/queries/windows/batchfile_execution_from_temp.yml @@ -1,4 +1,4 @@ -title: Windows Command Shell +title: Batchfile Execution from Temp description: Query for bat files executed from temp directories where SrcProcParentName isn't an executable we want to filter. author: keyboardcrunch date: 10/10/2020 diff --git a/queries/windows/bits_jobs.yml b/queries/windows/bits_jobs.yml index 6ba78d6..9bf1bf4 100644 --- a/queries/windows/bits_jobs.yml +++ b/queries/windows/bits_jobs.yml @@ -1,10 +1,10 @@ title: BITS Jobs -description: The below query will find and remote content downloads from DesktopImgDownldr +description: Detect remote content downloads from DesktopImgDownldr or BitsAdmin processes, Start-BitsTransfer cmdlet downloads, and excludes system processes and noise with SrcProcParentName Not In (). author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion, Persistence technique: T1197 @@ -15,6 +15,7 @@ query: (( TgtProcName In Contains Anycase ("bitsadmin.exe","desktopimgdownldr.ex OR TgtProcCmdLine ContainsCIS "/setnotifycmdline " ) ) OR ( TgtProcName = "powershell.exe" AND TgtProcCmdLine ContainsCIS "Start-BitsTransfer" ) ) AND SrcProcParentName Not In ("services.exe","smss.exe","wininit.exe") -false_positives: null +false_positives: + - Powershell file downloads tags: null diff --git a/queries/windows/browser_extension_installation.yml b/queries/windows/browser_extension_installation.yml index 3407fae..3073460 100644 --- a/queries/windows/browser_extension_installation.yml +++ b/queries/windows/browser_extension_installation.yml @@ -1,17 +1,16 @@ title: Browser Extension Installation -description: This query takes a lazy approach to detecting the staging of xpi or crx - extension packages for installation within Chrome and Firefox based browsers. Unsure - how to filter our extension updates without excluding too much. +description: Lazy quyer for detecting the staging of xpi or crx + extension packages for installation within Chrome and Firefox based browsers. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Persistence technique: T1176 - subtechnique: null + subtechnique: operating_system: windows query: ( FileFullName RegExp "\bWebstore Downloads\b.*\.(crx)$" OR FileFullName RegExp "\bstaged\b.*\.(xpi)$" ) AND EventType = "File Creation" -false_positives: null -tags: null +false_positives: +tags: diff --git a/queries/windows/bypass_user_access_control.yml b/queries/windows/bypass_user_access_control.yml index fec5c34..60a9b55 100644 --- a/queries/windows/bypass_user_access_control.yml +++ b/queries/windows/bypass_user_access_control.yml @@ -1,12 +1,9 @@ title: T1548.002 Bypass User Access Control description: Detection of UAC bypass through tampering with Shell Open for .ms-settings - or .msc file types. Beyond this Atomic test, and to further UAC bypass detection, - the below query includes detection for CMSTPLUA COM interface abuse by GUID. Noted - issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key - paths were ControlSet001\Service\bam\State\UserSettings\GUID... + or .msc file types. Also includes detection for CMSTPLUA COM interface abuse by GUID. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion, Privilege Escalation technique: T1548 @@ -15,6 +12,6 @@ operating_system: windows query: (SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine ContainsCIS "mscfile\shell\open\command") OR (TgtProcDisplayName = "COM Surrogate" AND TgtProcCmdLine ContainsCIS "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}") -false_positives: null -tags: null +false_positives: +tags: diff --git a/queries/windows/change_shell_open_regkeys.yml b/queries/windows/change_shell_open_regkeys.yml index b90bff7..4586c31 100644 --- a/queries/windows/change_shell_open_regkeys.yml +++ b/queries/windows/change_shell_open_regkeys.yml @@ -1,9 +1,8 @@ title: Change Shell Open RegKeys -description: Detection of file association changes. Detection by registry is noisy - due to problem filtering on registry root, so install/uninstall apps create noise. +description: Detection of file association changes. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Persistence technique: T1546 @@ -14,6 +13,7 @@ query: '--- File assoc change by registry RegistryKeyPath In Contains Anycase ( "\shell\open\command" , "\shell\print\command" , "\shell\printto\command" ) AND EventType In ( "Registry Value Create" , "Registry Value Modified" )' -false_positives: null -tags: null +false_positives: + - Un/install of some applications +tags: diff --git a/queries/windows/clear_windows_event_logs.yml b/queries/windows/clear_windows_event_logs.yml index 7024f74..f4187c8 100644 --- a/queries/windows/clear_windows_event_logs.yml +++ b/queries/windows/clear_windows_event_logs.yml @@ -1,11 +1,9 @@ title: Clear Windows Event Logs description: Detects the clearing of EventLogs through wevtutil (concise) as well - as Clear-EventLog through CommandLine and CommandScript objects. Powershell cmdlet - detection returns a lot of noise for the CommandScripts object, so filtering out - SrcProcParentName may be required. + as Clear-EventLog through CommandLine and CommandScript objects. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion technique: T1070 @@ -14,6 +12,7 @@ operating_system: windows query: (TgtProcName = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR ((SrcProcCmdLine ContainsCIS "Clear-EventLog" OR SrcProcCmdScript ContainsCIS "Clear-EventLog") AND SrcProcParentName Not In ("WmiPrvSE.exe","PFERemediation.exe","svchost.exe")) -false_positives: null +false_positives: + - SCOM built-in scripts tags: null diff --git a/queries/windows/cmstp.yml b/queries/windows/cmstp.yml deleted file mode 100644 index 789fb01..0000000 --- a/queries/windows/cmstp.yml +++ /dev/null @@ -1,16 +0,0 @@ -title: CMSTP -description: CMSTP is rarely used within my environment, so the below detection has - low false positives without filtering, though you may want to limit query to inf - files located in personal/writeable directories. -author: keyboardcrunch -date: 10/10/2020 -modified: null -mitre: - tactic: Defense Evasion - technique: T1218 - subtechnique: 003 -operating_system: windows -query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine RegExp "^.*\.(inf)" -false_positives: null -tags: null - diff --git a/queries/windows/cmstp_signed_binary_proxy_execution.yml b/queries/windows/cmstp_signed_binary_proxy_execution.yml new file mode 100644 index 0000000..1eed907 --- /dev/null +++ b/queries/windows/cmstp_signed_binary_proxy_execution.yml @@ -0,0 +1,14 @@ +title: CMSTP Signed Binary Proxy Execution +description: Detect execution through CMSTP installations with INF files. +author: keyboardcrunch +date: 10/10/2020 +modified: 05/12/2020 +mitre: + tactic: Defense Evasion + technique: T1218 + subtechnique: 003 +operating_system: windows +query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine RegExp "^.*\.(inf)" +false_positives: +tags: + diff --git a/queries/windows/compiled_html_file.yml b/queries/windows/compiled_html_file.yml index 9cd8606..d1ac908 100644 --- a/queries/windows/compiled_html_file.yml +++ b/queries/windows/compiled_html_file.yml @@ -1,10 +1,8 @@ title: Compiled HTML File -description: Breaking down the below query, the first section will detect Atomic Test - 1 where a malicious chm file spawns a process, whereas the second half of the query - detects hh.exe loading a remote payloads. +description: Detect malicious chm file spawning a process or hh.exe loading a remote payloads. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion technique: T1218 @@ -12,6 +10,6 @@ mitre: operating_system: windows query: (SrcProcName = "hh.exe" AND EventType = "Open Remote Process Handle") OR (SrcProcName = "hh.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)") -false_positives: null -tags: null +false_positives: +tags: diff --git a/queries/windows/compile_after_delivery.yml b/queries/windows/csc_compile_after_delivery.yml similarity index 56% rename from queries/windows/compile_after_delivery.yml rename to queries/windows/csc_compile_after_delivery.yml index 604683b..3a04950 100644 --- a/queries/windows/compile_after_delivery.yml +++ b/queries/windows/csc_compile_after_delivery.yml @@ -1,11 +1,10 @@ -title: Compile After Delivery -description: Both Atomic tests for this technique leverage csc.exe for compilation - of code. The below will detect specific compilation of executables as well as dynamic +title: CSC Compile After Delivery +description: Detect specific compilation of executables as well as dynamic compilation through detection of csc.exe creating executable files (both dll and - exe). Filter noise from later portion of query using SrcProcParentName Not In (). + exe). author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion technique: T1027 @@ -13,6 +12,7 @@ mitre: operating_system: windows query: (TgtProcName = "csc.exe" AND SrcProcCmdLine Contains "/target:exe") OR (SrcProcName = "csc.exe" AND TgtFileIsExecutable = "true" AND SrcProcParentName Not In ("svchost.exe")) -false_positives: null +false_positives: + - Absolute/Computrace software. tags: null diff --git a/queries/windows/deobfuscate_or_decode_files.yml b/queries/windows/deobfuscate_or_decode_files.yml index bccc1b2..00806e8 100644 --- a/queries/windows/deobfuscate_or_decode_files.yml +++ b/queries/windows/deobfuscate_or_decode_files.yml @@ -1,19 +1,17 @@ title: Deobfuscate or Decode Files -description: This Atomic tests detections of certutil encoding and decoding of executables, - and the replication of certutil for bypassing detection of executable encoding. - Our query below will detected renamed certutil through matching of DisplayName, - as well as encoding or decoding of exe files. +description: Detect certutil encoding and decoding of executables, + or use of renamed certutil.exe for bypassing detections. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion technique: T1140 - subtechnique: null + subtechnique: operating_system: windows query: (TgtProcName != "certutil.exe" AND TgtProcDisplayName = "CertUtil.exe") OR ( TgtProcDisplayName = "CertUtil.exe" AND (TgtProcCmdLine RegExp "^.*(-decode).*\.(exe)" OR TgtProcCmdLine RegExp "^.*(-encode).*\.(exe)") ) -false_positives: null -tags: null +false_positives: +tags: diff --git a/queries/windows/disable_defender_firewall.yml b/queries/windows/disable_defender_firewall.yml index 5f019b1..446d025 100644 --- a/queries/windows/disable_defender_firewall.yml +++ b/queries/windows/disable_defender_firewall.yml @@ -1,14 +1,14 @@ title: Disable Defender Firewall -description: Detection on disabling Microsoft Defender Firewall. +description: Detect disabling Microsoft Defender Firewall. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion technique: T1562 subtechnique: 004 operating_system: windows query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "state off" -false_positives: null -tags: null +false_positives: +tags: diff --git a/queries/windows/disable_sysmon.yml b/queries/windows/disable_sysmon.yml index 5ed6d88..32489c7 100644 --- a/queries/windows/disable_sysmon.yml +++ b/queries/windows/disable_sysmon.yml @@ -1,8 +1,8 @@ title: Disable Sysmon -description: Detection of disabling the Sysmon driver or service. +description: Detects disabling of the Sysmon driver or service. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion technique: T1562 @@ -10,6 +10,6 @@ mitre: operating_system: windows query: (TgtProcName = "fltmc.exe" AND TgtProcCmdLine ContainsCIS "unload SysmonDrv") OR (TgtProcName = "sysmon.exe" AND TgtProcCmdLine ContainsCIS "-u") -false_positives: null -tags: null +false_positives: +tags: diff --git a/queries/windows/dll_search_order_hijacking.yml b/queries/windows/dll_search_order_hijacking.yml index 095422c..06cbb21 100644 --- a/queries/windows/dll_search_order_hijacking.yml +++ b/queries/windows/dll_search_order_hijacking.yml @@ -1,8 +1,8 @@ title: DLL Search Order Hijacking -description: Detection of common DLL search order hijacks. +description: Detection of common DLL search order hijacks, currently only amsi.dll. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion, Persistence, Privilege Escalation technique: T1574 @@ -10,6 +10,6 @@ mitre: operating_system: windows query: (FileFullName ContainsCIS "amsi.dll" AND FileFullName Does Not ContainCIS "System32") AND EventType = "File Creation" -false_positives: null -tags: null +false_positives: +tags: diff --git a/queries/windows/dll_side-loading_of_npp_gup.exe.yml b/queries/windows/dll_side-loading_of_npp_gup.exe.yml deleted file mode 100644 index a54f090..0000000 --- a/queries/windows/dll_side-loading_of_npp_gup.exe.yml +++ /dev/null @@ -1,16 +0,0 @@ -title: DLL Side-Loading of Notepad++ GUP.exe -description: Detection for GUP.exe side-loading a dll, where executable has a display - name of "WinGup for Notepad++" and has non-standard source process. Keep an eye - on Cross Process events. -author: keyboardcrunch -date: 10/10/2020 -modified: null -mitre: - tactic: Defense Evasion, Persistence, Privilege Escalation - technique: T1574 - subtechnique: 002 -operating_system: windows -query: TgtProcDisplayName ContainsCIS "WinGup" and SrcProcName Not In ("notepad++.exe","explorer.exe","lsass.exe","csrss.exe","svchost.exe","WerFault.exe") -false_positives: null -tags: null - diff --git a/queries/windows/dll_sideloading_of_npp_gup.yml b/queries/windows/dll_sideloading_of_npp_gup.yml new file mode 100644 index 0000000..348bcee --- /dev/null +++ b/queries/windows/dll_sideloading_of_npp_gup.yml @@ -0,0 +1,14 @@ +title: DLL Side-Loading of Notepad++ GUP.exe +description: Detection of GUP.exe updater from Notepad++ being used for side-loading a dll. +author: keyboardcrunch +date: 10/10/2020 +modified: 05/12/2020 +mitre: + tactic: Defense Evasion, Persistence, Privilege Escalation + technique: T1574 + subtechnique: 002 +operating_system: windows +query: TgtProcDisplayName = "WinGup for Notepad++" and SrcProcName Not In ("notepad++.exe","explorer.exe","lsass.exe","csrss.exe","svchost.exe","WerFault.exe") +false_positives: null +tags: null + diff --git a/queries/windows/edge_or_ie_cred_extraction_w_pwsh.yml b/queries/windows/edge_or_ie_cred_extraction_w_pwsh.yml index aa51aa9..cc15f7f 100644 --- a/queries/windows/edge_or_ie_cred_extraction_w_pwsh.yml +++ b/queries/windows/edge_or_ie_cred_extraction_w_pwsh.yml @@ -2,7 +2,7 @@ title: Edge or IE Credential Extraction with PowerShell description: Detects the extraction of Edge or Internet Explorer PasswordVault credentials with PowerShell. author: keyboardcrunch date: 24/11/2020 -modified: +modified: 05/12/2020 mitre: tactic: Credential Access technique: T1555 @@ -10,8 +10,6 @@ mitre: operating_system: windows query: SrcProcCmdScript ContainsCIS "Windows.Security.Credentials.PasswordVault" OR SrcProcCmdScript ContainsCIS "RetrievePassword" false_positives: - - tags: - - references: - https://github.com/HanseSecure/credgrap_ie_edge diff --git a/queries/windows/group_policy_preference_extraction.yml b/queries/windows/group_policy_preference_extraction.yml index 7963570..df4cba9 100644 --- a/queries/windows/group_policy_preference_extraction.yml +++ b/queries/windows/group_policy_preference_extraction.yml @@ -1,9 +1,9 @@ title: Group Policy Preference Cred Extraction -description: Detection focuses on sysvol GP Policy xml file enumeration, with findstr +description: Detection of sysvol GP Policy xml file enumeration, with findstr or Get-GPPPassword (Alias or CmdScript internal match). author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Credential Access technique: T1552 @@ -12,6 +12,6 @@ operating_system: windows query: TgtProcCmdline RegExp "^.*\/S cpassword.*\\sysvol\\.*.xml" OR TgtProcCmdline ContainsCIS "Get-GPPPassword" OR SrcProcCmdScript ContainsCIS "Get-ChildItem -Path \"\\$Server\SYSVOL\" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'" -false_positives: null -tags: null +false_positives: +tags: diff --git a/queries/windows/inhibit_system_recovery.yml b/queries/windows/inhibit_system_recovery.yml index 8a6672a..b90825e 100644 --- a/queries/windows/inhibit_system_recovery.yml +++ b/queries/windows/inhibit_system_recovery.yml @@ -3,16 +3,17 @@ description: Detects the use of vssadmin, wbadmin, bcdedit and powershell deleti of shadowcopy content and disabling of system recovery. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Impact technique: T1490 - subtechnique: null + subtechnique: operating_system: windows query: TgtProcCmdLine In Contains Anycase ("delete shadows","shadowcopy delete","delete catalog","recoveryenabled no") OR (TgtProcCmdLine ContainsCIS "Win32_ShadowCopy" AND TgtProcCmdLine ContainsCIS "Delete()") OR (SrcProcCmdScript ContainsCIS "Win32_ShadowCopy" AND SrcProcCmdScript ContainsCIS "Delete()") -false_positives: null -tags: null +false_positives: + - Manual backup or recovery through shadowcopy +tags: diff --git a/queries/windows/invoke-maldoc.yml b/queries/windows/invoke-maldoc.yml index ce31430..2b2e26b 100644 --- a/queries/windows/invoke-maldoc.yml +++ b/queries/windows/invoke-maldoc.yml @@ -1,13 +1,9 @@ title: Invoke-MalDoc -description: This execution of macro code using Invoke-MalDoc triggers S1 T1027 Evasion - Indicator, so we could RegEx on IndicatorMetadata but that'd have noise. The query - should only be used for threat hunting, but it will detect Macro security settings - changes to the registry for Word and Excel as well as detecting COM objects within - ComandLine and CommandScript indicator objects. There may be a lot of results, focus - on Indicators and Command Scripts objects as they'll have less false positives. +description: Detection of Invoke-MalDoc.ps1, complementary to T1027 Evasion + Indicator built into SentinelOne Agent. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Initial Access technique: T1566 @@ -17,6 +13,8 @@ query: (RegistryPath In Contains ("Word\Security\AccessVBOM","Excel\Security\Acc AND EventType In ("Registry Value Create","Registry Value Modified")) OR (SrcProcCmdLine In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application") OR SrcProcCmdScript In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application")) -false_positives: null -tags: null +false_positives: + - Macro security setting changes + - Powershell automation of Office docs +tags: diff --git a/queries/windows/kill_eventlog_service_threads.yml b/queries/windows/kill_eventlog_service_threads.yml index 43000f8..3a3d491 100644 --- a/queries/windows/kill_eventlog_service_threads.yml +++ b/queries/windows/kill_eventlog_service_threads.yml @@ -1,10 +1,9 @@ title: Kill Eventlog Service Threads -description: Detection is specific to Invoke-Phant0m strings as the test uses it, - and we're hoping to catch renamed and obfuscated versions by catching the TerminateThread - call. +description: Invoke-Phant0m specific detection (currently), catches renamed and obfuscated + versions by querying for the TerminateThread call. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion technique: T1562 @@ -12,6 +11,6 @@ mitre: operating_system: windows query: SrcProcCmdLine ContainsCIS "Invoke-Phant0m" OR SrcProcCmdScript ContainsCIS "$Kernel32::TerminateThread($getThread" OR SrcProcCmdScript ContainsCIS "Invoke-Phant0m" -false_positives: null -tags: null +false_positives: +tags: diff --git a/queries/windows/lazagne_password_theft.yml b/queries/windows/lazagne_password_theft.yml index 8eda20e..67ea74f 100644 --- a/queries/windows/lazagne_password_theft.yml +++ b/queries/windows/lazagne_password_theft.yml @@ -5,13 +5,14 @@ description: LaZagne happens to spawn 3 cmd shells to save security, system and location. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Credential Access technique: T1552 subtechnique: 001 operating_system: windows query: TgtProcCmdline Contains "reg.exe save hklm\s" OR TgtFilePath Contains "lazagne.exe.manifest" -false_positives: null -tags: null +false_positives: + - Full registry exports +tags: diff --git a/queries/windows/local_account_added_windows.yml b/queries/windows/local_account_added_windows.yml index 24f5fe4..08368af 100644 --- a/queries/windows/local_account_added_windows.yml +++ b/queries/windows/local_account_added_windows.yml @@ -1,8 +1,8 @@ title: Local Account Added Windows -description: Query below we'll query all instances of local accounts being created. +description: Detect all instances of local accounts being created. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Persistence technique: T1136 @@ -11,6 +11,7 @@ operating_system: windows query: SrcProcCmdLine In Contains Anycase ("net user /add","New-LocalUser") OR SrcProcCmdLine RegExp "\bdscl\b.*\b/\create\b" OR SrcProcCmdLine RegExp "\bnet localgroup administrators\b.*\b\/add\b" -false_positives: General account maintenance. -tags: null +false_positives: + - General account maintenance. +tags: diff --git a/queries/windows/lsa_secrets.yml b/queries/windows/lsa_secrets.yml index 33b3a21..8540202 100644 --- a/queries/windows/lsa_secrets.yml +++ b/queries/windows/lsa_secrets.yml @@ -1,15 +1,14 @@ title: T1003.004 LSA Secrets -description: For simplicity, we're detecting a Cmdline used for both psexec (the test) - as well as direct reg.exe LSA extraction. +description: Detect direct LSA extraction with reg.exe. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Credential Access technique: T1003 subtechnique: 004 operating_system: windows query: TgtProcCmdLine ContainsCIS "save HKLM\security\policy\secrets" -false_positives: null -tags: null +false_positives: +tags: diff --git a/queries/windows/lsass_memory_dumping.yml b/queries/windows/lsass_memory_dumping.yml index 604c0c1..b489540 100644 --- a/queries/windows/lsass_memory_dumping.yml +++ b/queries/windows/lsass_memory_dumping.yml @@ -1,5 +1,5 @@ title: LSASS Memory Dumping -description: Detection of wce by hash, procdump, comsvc, dumpert, mimikatz, pypykatz, and werfault all in one query. +description: Detection of wce (by hash), procdump, comsvc, dumpert, mimikatz, pypykatz, and werfault for LSASS dumping all in one query. author: keyboardcrunch date: 10/10/2020 modified: null diff --git a/queries/windows/malicious_documents.yml b/queries/windows/malicious_documents.yml index b14f2c0..1e0df17 100644 --- a/queries/windows/malicious_documents.yml +++ b/queries/windows/malicious_documents.yml @@ -1,10 +1,9 @@ title: Malicious Documents -description: The tests for this technique overlap heavily with T1566.001 Spearphishing - Attachment due to similar download and macro detections, so here we're focusing - on detecting Office applications launching processes. +description: Detect high risk processes spawned from Office applications. Complementary to T1566.001 Spearphishing + Attachment due to similar download and macro detections. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Execution technique: T1204 @@ -13,6 +12,9 @@ operating_system: windows query: (SrcProcParentName In Contains ("WINWORD.EXE","EXCEL.EXE") AND SrcProcName In Contains Anycase ("cmd.exe","cscript.exe","wscript.exe","certutil.exe","powershell.exe","msbuild.exe","csc.exe")) OR IndicatorName = "SuspiciousDocument" -false_positives: Legit docs with macros. -tags: null +false_positives: + - Legit docs with macros. + - McAfee DLP hits on links opened from docs. + - Office plugins opening sites within browsers. +tags: diff --git a/queries/windows/modified_sysinternals_accesschk.yml b/queries/windows/modified_sysinternals_accesschk.yml new file mode 100644 index 0000000..95aacd1 --- /dev/null +++ b/queries/windows/modified_sysinternals_accesschk.yml @@ -0,0 +1,16 @@ +title: Modified SysInternals AccessChk +description: Detection of renamed AccessChk.exe, can be used for retrieval of the Chrome password db + as well as other privileged files. +author: keyboardcrunch +date: 10/10/2020 +modified: 05/12/2020 +mitre: + tactic: Credential Access + technique: T1555 + subtechnique: 003 +operating_system: windows +query: TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective + permissions for securable objects" +false_positives: +tags: + diff --git a/queries/windows/modified_sysinternals_accesschk_chrome_password_collector.yml b/queries/windows/modified_sysinternals_accesschk_chrome_password_collector.yml deleted file mode 100644 index a171465..0000000 --- a/queries/windows/modified_sysinternals_accesschk_chrome_password_collector.yml +++ /dev/null @@ -1,17 +0,0 @@ -title: Modified SysInternals AccessChk Chrome password collector -description: To focus on detection, we're looking for AccessChk.exe where the DisplayName - does not match that of the original. There's 4X as many Cross_Process objects with - this query but none detect the collection of the Chrome password db. -author: keyboardcrunch -date: 10/10/2020 -modified: null -mitre: - tactic: Credential Access - technique: T1555 - subtechnique: 003 -operating_system: windows -query: TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective - permissions for securable objects" -false_positives: null -tags: null - diff --git a/queries/windows/msiexec_remote_msi.yml b/queries/windows/msiexec_remote_msi.yml index 5186b91..7b79c9f 100644 --- a/queries/windows/msiexec_remote_msi.yml +++ b/queries/windows/msiexec_remote_msi.yml @@ -1,12 +1,11 @@ title: Msiexec Remote MSI -description: The below query will accurately detect execution of remote msi files - by msiexec.exe. The second half of the query aims to detect processes spawned by - msi files instead of dll files in the CommandLine (as that is very noisy) and may - return a bit of noise within for the CrossProcess Object as some auto-update processes - may be collected by this query. +description: Detect execution of remote msi files by msiexec.exe. The second + half of the query aims to detect processes spawned by msi files instead of dll files + in the CommandLine (as that is very noisy) and may return a bit of noise within + for the CrossProcess Object as some auto-update processes may be collected by this query. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion technique: T1218 @@ -15,6 +14,7 @@ operating_system: windows query: ( SrcProcName = "msiexec.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)" ) OR (SrcProcName RegExp "^.*\.(tmp)" AND EventType = "Open Remote Process Handle" AND SrcProcParentName = "msiexec.exe") -false_positives: null -tags: null +false_positives: + - Auto-update processes +tags: diff --git a/queries/windows/non_windows_control_panel_item.yml b/queries/windows/non_windows_control_panel_item.yml index be9d475..28545b3 100644 --- a/queries/windows/non_windows_control_panel_item.yml +++ b/queries/windows/non_windows_control_panel_item.yml @@ -1,10 +1,9 @@ title: Non-Windows Control Panel Item -description: The below query will find all cpl files outside standard directories - and all cpl files executed outside of Windows directories. First portion of query - may need to be dropped if there's too much noise in your environment. +description: Detect cpl files outside standard Windows directories. First portion + of query may need to be dropped if there is too much noise in your environment. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion technique: T1218 @@ -14,6 +13,7 @@ query: (TgtFileExtension = "cpl" AND TgtFilePath Does Not ContainCIS "C:\Windows AND TgtFilePath Does Not ContainCIS "C:\Program Files" AND TgtFilePath Does Not ContainCIS "C:\$WINDOWS.~BT") OR (SrcProcName = "control.exe" AND SrcProcCmdLine ContainsCIS ".cpl" AND SrcProcCmdLine Does Not ContainCIS "C:\Windows") -false_positives: null -tags: null +false_positives: + - Applications bringing their own cpl files +tags: diff --git a/queries/windows/ntds_copy.yml b/queries/windows/ntds_copy.yml index a0ca1b0..2db8604 100644 --- a/queries/windows/ntds_copy.yml +++ b/queries/windows/ntds_copy.yml @@ -1,6 +1,5 @@ title: NTDS Copy -description: We won't bother detecting VSS copies being created, rather detecting - credential file copies. NTDS.dit or SYSTEM whether a VSS copy or not. +description: Detection of credential file copies, either NTDS.dit or SYSTEM whether a VSS copy or not. author: keyboardcrunch date: 10/10/2020 modified: null diff --git a/queries/windows/open_local_port_on_defender_firewall.yml b/queries/windows/open_local_port_on_defender_firewall.yml index b451a2d..f303e1f 100644 --- a/queries/windows/open_local_port_on_defender_firewall.yml +++ b/queries/windows/open_local_port_on_defender_firewall.yml @@ -1,8 +1,8 @@ title: Open Local Port on Defender Firewall -description: Detection of opening of local ports within Defender Firewall. +description: Detect opening of local ports within Defender Firewall. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion technique: T1562 @@ -10,6 +10,7 @@ mitre: operating_system: windows query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine ContainsCIS "dir=in" AND TgtProcCmdLine ContainsCIS "localport=" -false_positives: null -tags: null +false_positives: + - Application installs requiring listening ports. +tags: diff --git a/queries/windows/outlook_vba_persistence.yml b/queries/windows/outlook_vba_persistence.yml index 40ddaf4..299eeab 100644 --- a/queries/windows/outlook_vba_persistence.yml +++ b/queries/windows/outlook_vba_persistence.yml @@ -10,8 +10,7 @@ mitre: operating_system: windows query: ( EventType In("File Creation", "File Modification") AND TgtFilePath Contains Anycase "\Roaming\Microsoft\Outlook" AND TgtFilePath EndsWith Anycase ".otm" ) OR ( EventType In ("Registry Value Create","Registry Value Modified") AND RegistryKeyPath ContainsCIS "Outlook\Security\Level" ) false_positives: - - Possible legit uses of macros for sorting/saving emails. -tags: - - + - Possible legit uses of macros for sorting or saving emails. +tags: references: - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ diff --git a/queries/windows/parent_pid_spoofing.yml b/queries/windows/parent_pid_spoofing.yml index ad5804e..eeeba44 100644 --- a/queries/windows/parent_pid_spoofing.yml +++ b/queries/windows/parent_pid_spoofing.yml @@ -4,7 +4,7 @@ description: Detects parent PID spoofing through Cross Process indicators (SrcPr through Command Scripts indicators. Update the TgtProcName list to filter noise. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion, Privilege Escalation technique: T1134 @@ -15,6 +15,7 @@ query: (TgtProcRelation = "not_in_storyline" AND EventType = "Open Remote Proces AND TgtProcName != "sihost.exe" And TgtProcIntegrityLevel != "LOW" AND TgtProcName Not In ("SystemSettings.exe")) OR (SrcProcCmdScript ContainsCIS "PPID-Spoof" AND SrcProcCmdScript ContainsCIS "hSpoofParent = [Kernel32]::OpenProcess") -false_positives: null -tags: null +false_positives: + - Cross Process indicators are noisy +tags: diff --git a/queries/windows/powershell_maldoc.yml b/queries/windows/powershell_download_cradles.yml similarity index 62% rename from queries/windows/powershell_maldoc.yml rename to queries/windows/powershell_download_cradles.yml index 098dcbd..ad7c754 100644 --- a/queries/windows/powershell_maldoc.yml +++ b/queries/windows/powershell_download_cradles.yml @@ -1,12 +1,11 @@ -title: Powershell MalDoc -description: This test merely uses Powershell to download a maldoc, the below query +title: Powershell Download Cradles +description: Detects usage of Powershell to download a malicious files. The below query will find CommandLine or CommandScript downloads using multiple cradle methods as - documented here by HarmJ0y https://gist.github.com/HarmJ0y/bb48307ffa663256e239. - The below query should only be used for hunting purposes and covers most unobfuscated - powershell cradles. + documented here HarmJ0y. This query should only be used for hunting purposes + and covers most unobfuscated powershell cradles. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Initial Access technique: T1566 @@ -16,6 +15,7 @@ query: (SrcProcCmdLine In Contains Anycase ("Net.WebClient","(iwr","DownloadStri (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP") OR SrcProcCmdScript In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP")) -false_positives: null -tags: null - +false_positives: +tags: +references: + - https://gist.github.com/HarmJ0y/bb48307ffa663256e239 diff --git a/queries/windows/powershell_gui_input_capture.yml b/queries/windows/powershell_gui_input_capture.yml index 3307b0f..924981f 100644 --- a/queries/windows/powershell_gui_input_capture.yml +++ b/queries/windows/powershell_gui_input_capture.yml @@ -1,5 +1,5 @@ title: PowerShell GUI Input Capture -description: Focusing here on detecting the Powershell UI.PromptForCredential and +description: Detect usage of Powershell UI.PromptForCredential and GetNetworkCredential().Password in CmdScript or CmdLine. author: keyboardcrunch date: 10/10/2020 diff --git a/queries/windows/powershell_http_form_submission.yml b/queries/windows/powershell_http_form_submission.yml index ef83e90..5fec7cf 100644 --- a/queries/windows/powershell_http_form_submission.yml +++ b/queries/windows/powershell_http_form_submission.yml @@ -2,14 +2,15 @@ title: PowerShell HTTP Form Submission description: Detection of powershell data POST and PUT with Invoke-WebRequest. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: mitre: tactic: Exfiltration technique: T1020 - subtechnique: null + subtechnique: operating_system: windows query: SrcProcCmdLine ContainsCIS "Invoke-WebRequest" AND (SrcProcCmdLine ContainsCIS "-Method Put" OR SrcProcCmdLine ContainsCIS "-Method Post") -false_positives: PowerShell HTTP form submissions. -tags: null +false_positives: + - PowerShell HTTP form submissions. +tags: diff --git a/queries/windows/powershell_time_stomping.yml b/queries/windows/powershell_time_stomping.yml index ce4f9e9..eb02647 100644 --- a/queries/windows/powershell_time_stomping.yml +++ b/queries/windows/powershell_time_stomping.yml @@ -2,7 +2,7 @@ title: PowerShell TimeStomping description: Detection of time stomping with PowerShell. author: keyboardcrunch date: 24/11/2020 -modified: +modified: 05/12/2020 mitre: tactic: Defense Evasion technique: T1070 @@ -10,8 +10,6 @@ mitre: operating_system: windows query: SrcProcCmdScript In Contains Anycase ("[IO.File]::SetCreationTime","[IO.File]::SetLastAccessTime","[IO.File]::SetLastWriteTime") false_positives: - - tags: - - references: - https://attack.mitre.org/techniques/T1070/006/ diff --git a/queries/windows/process_injection.yml b/queries/windows/process_injection.yml index 99f1ce6..effa049 100644 --- a/queries/windows/process_injection.yml +++ b/queries/windows/process_injection.yml @@ -1,17 +1,18 @@ title: T1055 Process Injection description: Detects Process Injection through execution of MavInject, filtering out noisy/expected activity. SrcProcParentName filter narrows Cross Process items to - HQ results. + refine results. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Defense Evasion, Privilege Escalation technique: T1055 - subtechnique: null + subtechnique: operating_system: windows query: (TgtProcName = "mavinject.exe" AND TgtProcCmdLine ContainsCIS "/injectrunning") AND (SrcProcName Not In ("AppVClient.exe") AND SrcProcParentName Not In ("smss.exe")) -false_positives: null -tags: null +false_positives: + - Legitimate usage of MavInject +tags: diff --git a/queries/windows/registry_credential_enumeration.yml b/queries/windows/registry_credential_enumeration.yml index 4a351cb..f498805 100644 --- a/queries/windows/registry_credential_enumeration.yml +++ b/queries/windows/registry_credential_enumeration.yml @@ -1,6 +1,5 @@ title: Registry Credential Enumeration -description: This query detects enumeration and discovery of credentials within the - Registry, including Putty sessions. +description: Detect enumeration and discovery of credentials within the Registry, including Putty sessions. author: keyboardcrunch date: 10/10/2020 modified: null diff --git a/queries/windows/rundll32_possible_cobalt_strike.yml b/queries/windows/rundll32_possible_cobalt_strike.yml index c90e18d..430746f 100644 --- a/queries/windows/rundll32_possible_cobalt_strike.yml +++ b/queries/windows/rundll32_possible_cobalt_strike.yml @@ -2,7 +2,7 @@ title: Rundll32 Possible Cobalt Strike description: Loose detection of lateral movement through SMB, commonly used with Cobalt Strike. author: keyboardcrunch date: 02/12/2020 -modified: +modified: 05/12/2020 mitre: tactic: Defense Evasion technique: T1218 @@ -11,6 +11,7 @@ operating_system: query: ( SrcProcName In AnyCase ( "rundll32.exe" ) AND SrcProcCmdLine IS EMPTY ) OR ( SrcProcName In AnyCase ( "rundll32.exe" ) AND NetConnOutCount > "0" AND SrcProcParentName Not In ( "splwow64.exe" ) AND SrcProcParentName Not In ( "msiexec.exe" ) AND SrcProcCmdLine RegExp ".*((?!C:\\windows\\system32\\spool\\DRIVERS\\.*,MonitorPrintJobStatus))$/gmi" ) false_positives: - Printer drivers + - High number of outbound SMB connections tags: - Cobalt Strike references: diff --git a/queries/windows/scheduled_tasks_creation.yml b/queries/windows/scheduled_tasks_creation.yml index 25cd351..763bd4e 100644 --- a/queries/windows/scheduled_tasks_creation.yml +++ b/queries/windows/scheduled_tasks_creation.yml @@ -1,11 +1,9 @@ title: Scheduled Tasks Creation -description: Our goal with this query is to detect any schtasks /create command as - well as any use of the New-ScheduledTask* cmdlets from powershell, and to prevent - noise from services and updates we'll exclude a list of system "trusted" SrcProcParentName - executables. +description: Detection of schtasks /create command as well as any use of the New-ScheduledTask* + cmdlets from powershell. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Execution, Persistence technique: T1053 @@ -14,6 +12,8 @@ operating_system: windows query: (( TgtProcName = "schtasks.exe" AND TgtProcCmdLine ContainsCIS "/create" ) OR ( SrcProcCmdLine ContainsCIS "New-ScheduledTask" OR SrcProcCmdScript ContainsCIS "New-ScheduledTask" )) AND SrcProcParentName Not In ("services.exe","OfficeClickToRun.exe") -false_positives: null -tags: null +false_positives: + - NPCAP driver task + - Legitimate task creation +tags: diff --git a/queries/windows/scheduledtaskregister.yml b/queries/windows/scheduledtaskregister.yml index 037724a..f21f78d 100644 --- a/queries/windows/scheduledtaskregister.yml +++ b/queries/windows/scheduledtaskregister.yml @@ -1,6 +1,6 @@ title: ScheduledTaskRegister description: Leveraging the ScheduleTaskRegister Indicator object for detection of - registered tasks. + registered tasks, but filtering for better quality results. author: keyboardcrunch date: 10/10/2020 modified: null diff --git a/queries/windows/secure_delete_data_destruction.yml b/queries/windows/secure_delete_data_destruction.yml index cd6c618..173225a 100644 --- a/queries/windows/secure_delete_data_destruction.yml +++ b/queries/windows/secure_delete_data_destruction.yml @@ -1,14 +1,15 @@ title: Secure Delete Data Destruction -description: Detection of SDelete (by display name) and execution of DD command on *nix operating systems. Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering. +description: Detection of SDelete (by display name). Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Impact technique: T1485 - subtechnique: null + subtechnique: operating_system: windows query: TgtProcDisplayName = "Secure file delete" -false_positives: null -tags: null +false_positives: + - Legitimate usage of SDelete +tags: diff --git a/queries/windows/security_support_provider.yml b/queries/windows/security_support_provider.yml index 922a030..a645edd 100644 --- a/queries/windows/security_support_provider.yml +++ b/queries/windows/security_support_provider.yml @@ -1,10 +1,9 @@ title: Security Support Provider -description: Detection of changes to Security Support Provider through Registry modification. - Filters most standard system changes with SrcProcName Not In (list) but there will - be some noise from installers. +description: Detect changes to Security Support Provider through Registry modification. + Filters most standard system changes with SrcProcName Not In (list). author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Privilege Escalation, Persistence technique: T1547 @@ -13,6 +12,7 @@ operating_system: windows query: RegistryKeyPath ContainsCIS "\Control\Lsa\Security Packages" AND (SrcProcName Not In ("services.exe","SetupHost.exe","svchost.exe") AND SrcProcCmdLine Does Not ContainCIS "system32\wsauth.dll") -false_positives: null -tags: null +false_positives: + - Some application installs +tags: diff --git a/queries/windows/service_created.yml b/queries/windows/service_created.yml new file mode 100644 index 0000000..446518c --- /dev/null +++ b/queries/windows/service_created.yml @@ -0,0 +1,15 @@ +title: Service Created +description: Detects creation and modification of windows services through binPath + argument to sc.exe. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Privilege Escalation + technique: T1543 + subtechnique: 003 +operating_system: windows +query: TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath=" +false_positives: null +tags: null + diff --git a/queries/windows/service_disable.yml b/queries/windows/service_disabled.yml similarity index 63% rename from queries/windows/service_disable.yml rename to queries/windows/service_disabled.yml index 80f4c48..0cd33c6 100644 --- a/queries/windows/service_disable.yml +++ b/queries/windows/service_disabled.yml @@ -1,17 +1,18 @@ -title: Service Disable -description: Detecting the disabling of services through sc.exe, wmic, and powershell Set-Service cmdlet. +title: Service Disabled +description: Detect disabling of services through sc.exe, wmic, and powershell Set-Service cmdlet. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Impact technique: T1489 - subtechnique: null + subtechnique: operating_system: windows query: (TgtProcName = "WMIC.exe" AND TgtProcCmdLine ContainsCIS "call ChangeStartmode Disabled") OR (TgtProcName = "sc.exe" AND TgtProcCmdLine ContainsCIS "disabled") OR (TgtProcCmdLine ContainsCIS "Set-Service" AND TgtProcCmdLine ContainsCIS "-StartupType Disabled") -false_positives: Manual service toggling. -tags: null +false_positives: + - Manual service toggling. +tags: diff --git a/queries/windows/service_start.yml b/queries/windows/service_started.yml similarity index 78% rename from queries/windows/service_start.yml rename to queries/windows/service_started.yml index 7e5dea2..25ab6bd 100644 --- a/queries/windows/service_start.yml +++ b/queries/windows/service_started.yml @@ -1,8 +1,8 @@ -title: Service Starting +title: Service Started description: Detection of sc.exe start or start-service. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Execution technique: T1569 @@ -10,6 +10,7 @@ mitre: operating_system: windows query: (( SrcProcName = "sc.exe" AND SrcProcCmdLine ContainsCIS "create" ) OR SrcProcCmdLine ContainsCIS "Start-Service" ) AND SrcProcParentName != "services.exe" -false_positives: Manual service actions. -tags: null +false_positives: + - Manual service actions. +tags: diff --git a/queries/windows/startup_folder.yml b/queries/windows/startup_folder_persistence.yml similarity index 93% rename from queries/windows/startup_folder.yml rename to queries/windows/startup_folder_persistence.yml index a510c4d..7f6ef4b 100644 --- a/queries/windows/startup_folder.yml +++ b/queries/windows/startup_folder_persistence.yml @@ -1,4 +1,4 @@ -title: Startup Folder +title: Startup Folder Persistence description: Detect any vbs, jse or bat files being written to any Programs\StartUp folder, be that ProgramData or AppData locations. author: keyboardcrunch date: 10/10/2020 diff --git a/queries/windows/startup_shortcuts.yml b/queries/windows/startup_shortcuts.yml index 80096d0..3b39bdb 100644 --- a/queries/windows/startup_shortcuts.yml +++ b/queries/windows/startup_shortcuts.yml @@ -11,6 +11,7 @@ operating_system: windows query: (FileFullName ContainsCIS "Microsoft\Windows\Start Menu\Programs\Startup" AND TgtFileExtension In Contains ("lnk","url") AND EventType = "File Creation") AND SrcProcName Not In ("ONENOTE.EXE","msiexec.exe") -false_positives: Some application installs. +false_positives: + - Some application installs. tags: null diff --git a/queries/windows/windows_remote_management.yml b/queries/windows/windows_remote_management_execution.yml similarity index 55% rename from queries/windows/windows_remote_management.yml rename to queries/windows/windows_remote_management_execution.yml index cc2845a..a44c432 100644 --- a/queries/windows/windows_remote_management.yml +++ b/queries/windows/windows_remote_management_execution.yml @@ -1,12 +1,8 @@ -title: Windows Remote Management -description: The below query (in order) remote process executions through MMC, WMIC, - and PsExec (by name or display name). Also of note, there are only 3 tests documented - for this Atomic, yet there are 6 tests, so the below query focuses on detectability. - PsExec detection may have a lot of noise depending on your environment, and may - require additional filtering. +title: Windows Remote Management Execution +description: Detect remote process executions through MMC, WMIC, and PsExec (by name or display name). author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Lateral Movement technique: T1021 @@ -17,6 +13,7 @@ query: (TgtProcCmdLine ContainsCIS "GetTypeFromProgID(" AND TgtProcCmdLine Conta OR (TgtProcName = "wmic.exe" AND TgtProcCmdLine ContainsCIS "/node:" AND TgtProcCmdLine ContainsCIS "process call create") OR ((SrcProcName ContainsCIS "psexec.exe" OR SrcProcDisplayName = "Execute processes remotely") AND DstIp Is Not Empty) -false_positives: null -tags: null +false_positives: + - Legitimate usage of PSExec +tags: diff --git a/queries/windows/windows_service_creation.yml b/queries/windows/windows_service_creation.yml index 8241cd7..974046a 100644 --- a/queries/windows/windows_service_creation.yml +++ b/queries/windows/windows_service_creation.yml @@ -1,15 +1,15 @@ -title: Windows Service Creation +title: Service Created description: Detects creation and modification of windows services through binPath argument to sc.exe. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: 05/12/2020 mitre: tactic: Privilege Escalation technique: T1543 subtechnique: 003 operating_system: windows query: TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath=" -false_positives: null -tags: null +false_positives: +tags: diff --git a/queries/windows/windows_share_creation.yml b/queries/windows/windows_share_creation.yml index 44f4e27..eb3a62c 100644 --- a/queries/windows/windows_share_creation.yml +++ b/queries/windows/windows_share_creation.yml @@ -2,7 +2,7 @@ title: Windows Share Creation description: Detecting the creation and use of Windows shares, may catch a lot of legitimate activity. author: keyboardcrunch date: 10/10/2020 -modified: null +modified: mitre: tactic: Lateral Movement technique: T1021 @@ -10,6 +10,7 @@ mitre: operating_system: windows query: TgtProcCmdLine ContainsCIS "New-PSDrive" OR (TgtProcName = "net.exe" AND TgtProcCmdLine ContainsCIS "use ") -false_positives: Share creations. -tags: null +false_positives: + - Share creation +tags: