diff --git a/queries/linux/dd_data_destruction.yml b/queries/linux/dd_data_destruction.yml new file mode 100644 index 0000000..5e207ac --- /dev/null +++ b/queries/linux/dd_data_destruction.yml @@ -0,0 +1,14 @@ +title: DD Data Destruction +description: Detection of data destruction with the DD command on *nix operating systems. Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Impact + technique: T1485 + subtechnique: null +operating_system: linux +query: AgentOS In ("linux","osx") AND TgtProcName = "dd" AND TgtProcCmdLine ContainsCIS "of=" +false_positives: null +tags: null + diff --git a/queries/linux/disable_syslog.yml b/queries/linux/disable_syslog.yml new file mode 100644 index 0000000..cc52157 --- /dev/null +++ b/queries/linux/disable_syslog.yml @@ -0,0 +1,15 @@ +title: Disable Syslog +description: Detect disabling of Linux Syslog service. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1562 + subtechnique: null +operating_system: linux +query: TgtProcName In Contains ("service","chkconfig","systemctl") AND TgtProcCmdLine + In Contains ("rsyslog stop","off rsyslog","stop rsyslog","disable rsyslog") +false_positives: null +tags: null + diff --git a/queries/linux/disabling_linux_firewall.yml b/queries/linux/disabling_linux_firewall.yml new file mode 100644 index 0000000..e242949 --- /dev/null +++ b/queries/linux/disabling_linux_firewall.yml @@ -0,0 +1,16 @@ +title: Disabling Linux Firewall +author: keyboardcrunch +date: 10/10/2020 +modified: null +description: Detection of Linux firewall being disabled. +mitre: + tactic: Defense Evasion + technique: T1562 + subtechnique: null +operating_system: linux +query: (SrcProcName In Contains ("service","chkconfig") AND SrcProcCmdLine In Contains + ("off","stop") AND SrcProcCmdLine ContainsCIS "tables") OR (TgtProcName = "systemctl" + AND TgtProcCmdLine In Contains ("stop","disable") AND TgtProcCmdLine Contains "firewalld") +false_positives: null +tags: null + diff --git a/queries/linux/local_account_added_nix.yml b/queries/linux/local_account_added_nix.yml new file mode 100644 index 0000000..6a476e6 --- /dev/null +++ b/queries/linux/local_account_added_nix.yml @@ -0,0 +1,14 @@ +title: Local Account Added Linux +description: Query all instances of local accounts being Linux and OSX. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Persistence + technique: T1136 + subtechnique: null +operating_system: linux +query: SrcProcCmdLine In Contains Anycase ("useradd") +false_positives: General account maintenance. +tags: null + diff --git a/queries/windows/account_access_removal.yml b/queries/windows/account_access_removal.yml new file mode 100644 index 0000000..613e81f --- /dev/null +++ b/queries/windows/account_access_removal.yml @@ -0,0 +1,18 @@ +title: Account Access Removal +description: Detects the deletion of a local user account or removal of Active Directory + groups through powershell cmdlets. No detection for account password resets for + purpose of impact due to false detections. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Impact + technique: T1531 + subtechnique: null +operating_system: windows +query: SrcProcCmdline RegExp "net\s+user(?:(?!\s+/delete)(?:.|\n))*\s+/delete" OR + TgtProcCmdLine ContainsCIS "Remove-ADGroupMember" OR SrcProcCmdScript ContainsCIS + "Remove-ADGroupMember" +false_positives: null +tags: null + diff --git a/queries/windows/account_manipulation.yml b/queries/windows/account_manipulation.yml new file mode 100644 index 0000000..3a7a466 --- /dev/null +++ b/queries/windows/account_manipulation.yml @@ -0,0 +1,22 @@ +title: Account Manipulation +description: Both Atomic tests for account manipulation rely on PowerShell AD module, + so we can catch both with one query. We have the query encapsulated so that we can + filter it at the end by Parent Process, as some Logon Scripts and Configuration + Items (SCOM, SCCM) may also cause noise. You may want to additionally filter out + certain SrcProcUser to reduce noise. What cannot be helped, CommandScript detection + on import of Powershell AD cmdlets. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Persistence + technique: T1098 + subtechnique: null +operating_system: windows +query: ( SrcProcCmdLine In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser") + OR SrcProcCmdScript In Contains Anycase ("New-ADUser","Rename-LocalUser","Set-LocalUser") + OR SrcProcCmdLine RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" OR SrcProcCmdScript + RegExp "\bAdd-ADGroupMember\b.*\bDomain Admins\b" ) AND SrcProcParentName Not In + ("WmiPrvSE.exe","AppVClient.exe","svchost.exe","CompatTelRunner.exe") +false_positives: null +tags: null diff --git a/queries/windows/allow_executable_through_defender_firewall.yml b/queries/windows/allow_executable_through_defender_firewall.yml new file mode 100644 index 0000000..3cb831a --- /dev/null +++ b/queries/windows/allow_executable_through_defender_firewall.yml @@ -0,0 +1,15 @@ +title: Allow Executable Through Defender Firewall +author: keyboardcrunch +description: Detect allowance of executables through Defender Firewall. +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1562 + subtechnique: 002 +operating_system: windows +query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine + ContainsCIS "program=" AND TgtProcCmdLine In Contains Anycase ("C:\Users","C:\Windows\Temp") +false_positives: null +tags: null + diff --git a/queries/windows/allow_smb_and_rdp_on_defender_firewall.yml b/queries/windows/allow_smb_and_rdp_on_defender_firewall.yml new file mode 100644 index 0000000..45d6c7d --- /dev/null +++ b/queries/windows/allow_smb_and_rdp_on_defender_firewall.yml @@ -0,0 +1,16 @@ +title: Allow SMB and RDP on Defender Firewall +description: Detects addition of Defender firewall rules for SMB and RDP. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1562 + subtechnique: 002 +operating_system: windows +query: (TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "remote desktop" + AND TgtProcCmdLine ContainsCIS "enable=Yes") OR (TgtProcName = "netsh.exe" AND TgtProcCmdLine + ContainsCIS "file and printer sharing" AND TgtProcCmdLine ContainsCIS "enable=Yes") +false_positives: null +tags: null + diff --git a/queries/windows/amsi_bypass_initfailed.yml b/queries/windows/amsi_bypass_initfailed.yml new file mode 100644 index 0000000..a439f60 --- /dev/null +++ b/queries/windows/amsi_bypass_initfailed.yml @@ -0,0 +1,15 @@ +title: AMSI Bypass Through InitFailed +description: Detects AMSI bypass through InitFailed. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1562 + subtechnique: 001 +operating_system: windows +query: TgtProcCmdLine ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" + OR SrcProcCmdScript ContainsCIS "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)" +false_positives: null +tags: null + diff --git a/queries/windows/application_shimming.yml b/queries/windows/application_shimming.yml new file mode 100644 index 0000000..23328aa --- /dev/null +++ b/queries/windows/application_shimming.yml @@ -0,0 +1,15 @@ +title: Application Shimming +description: Detects application shimming through sdbinst or registry modification. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Privilege Escalation, Persistence + technique: T1546 + subtechnique: 008 +operating_system: windows +query: (SrcProcName = "sdbinst.exe" and ProcessCmd ContainsCIS ".sdb") OR ((RegistryKeyPath + ContainsCIS "AppInit_DLLs" OR RegistryPath ContainsCIS "AppCompatFlags") AND (EventType + = "Registry Value Create" OR EventType = "Registry Value Modified")) +false_positives: null +tags: null diff --git a/queries/windows/assoc_default_file_change.yml b/queries/windows/assoc_default_file_change.yml new file mode 100644 index 0000000..ac5b3af --- /dev/null +++ b/queries/windows/assoc_default_file_change.yml @@ -0,0 +1,16 @@ +title: Assoc Default File Change +description: Detection of file association change through assoc command. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Privilege Escalation + technique: T1546 + subtechnique: 008 +operating_system: windows +query: '--- File assoc change by assoc command + + TgtProcCmdLine ContainsCIS "assoc" and TgtProcCmdLine RegExp ".*=.*"' +false_positives: null +tags: null + diff --git a/queries/windows/at_scheduled_task.yml b/queries/windows/at_scheduled_task.yml new file mode 100644 index 0000000..7d94176 --- /dev/null +++ b/queries/windows/at_scheduled_task.yml @@ -0,0 +1,14 @@ +title: AT Scheduled Task +description: Detect interactive process execution scheduled by AT command. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Execution, Persistence, Privilege Escalation + technique: T1053 + subtechnique: 002 +operating_system: windows +query: TgtProcName = "at.exe" AND TgtProcCmdLine ContainsCIS "/interactive " +false_positives: null +tags: null + diff --git a/queries/windows/bits_jobs.yml b/queries/windows/bits_jobs.yml new file mode 100644 index 0000000..6ba78d6 --- /dev/null +++ b/queries/windows/bits_jobs.yml @@ -0,0 +1,20 @@ +title: BITS Jobs +description: The below query will find and remote content downloads from DesktopImgDownldr + or BitsAdmin processes, Start-BitsTransfer cmdlet downloads, and excludes system + processes and noise with SrcProcParentName Not In (). +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion, Persistence + technique: T1197 + subtechnique: null +operating_system: windows +query: (( TgtProcName In Contains Anycase ("bitsadmin.exe","desktopimgdownldr.exe") + AND ( TgtProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)" + OR TgtProcCmdLine ContainsCIS "/setnotifycmdline " ) ) OR ( TgtProcName = "powershell.exe" + AND TgtProcCmdLine ContainsCIS "Start-BitsTransfer" ) ) AND SrcProcParentName Not + In ("services.exe","smss.exe","wininit.exe") +false_positives: null +tags: null + diff --git a/queries/windows/browser_extension_installation.yml b/queries/windows/browser_extension_installation.yml new file mode 100644 index 0000000..3407fae --- /dev/null +++ b/queries/windows/browser_extension_installation.yml @@ -0,0 +1,17 @@ +title: Browser Extension Installation +description: This query takes a lazy approach to detecting the staging of xpi or crx + extension packages for installation within Chrome and Firefox based browsers. Unsure + how to filter our extension updates without excluding too much. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Persistence + technique: T1176 + subtechnique: null +operating_system: windows +query: ( FileFullName RegExp "\bWebstore Downloads\b.*\.(crx)$" OR FileFullName RegExp + "\bstaged\b.*\.(xpi)$" ) AND EventType = "File Creation" +false_positives: null +tags: null + diff --git a/queries/windows/bypass_user_access_control.yml b/queries/windows/bypass_user_access_control.yml new file mode 100644 index 0000000..fec5c34 --- /dev/null +++ b/queries/windows/bypass_user_access_control.yml @@ -0,0 +1,20 @@ +title: T1548.002 Bypass User Access Control +description: Detection of UAC bypass through tampering with Shell Open for .ms-settings + or .msc file types. Beyond this Atomic test, and to further UAC bypass detection, + the below query includes detection for CMSTPLUA COM interface abuse by GUID. Noted + issues with Sentinel Agent 4.3.2.86 detecting by registry key. All registry key + paths were ControlSet001\Service\bam\State\UserSettings\GUID... +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion, Privilege Escalation + technique: T1548 + subtechnique: 008 +operating_system: windows +query: (SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine + ContainsCIS "mscfile\shell\open\command") OR (TgtProcDisplayName = "COM Surrogate" + AND TgtProcCmdLine ContainsCIS "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}") +false_positives: null +tags: null + diff --git a/queries/windows/change_shell_open_regkeys.yml b/queries/windows/change_shell_open_regkeys.yml new file mode 100644 index 0000000..b90bff7 --- /dev/null +++ b/queries/windows/change_shell_open_regkeys.yml @@ -0,0 +1,19 @@ +title: Change Shell Open RegKeys +description: Detection of file association changes. Detection by registry is noisy + due to problem filtering on registry root, so install/uninstall apps create noise. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Persistence + technique: T1546 + subtechnique: 008 +operating_system: windows +query: '--- File assoc change by registry + + RegistryKeyPath In Contains Anycase ( "\shell\open\command" , "\shell\print\command" + , "\shell\printto\command" ) AND EventType In ( "Registry Value Create" , "Registry + Value Modified" )' +false_positives: null +tags: null + diff --git a/queries/windows/clear_windows_event_logs.yml b/queries/windows/clear_windows_event_logs.yml new file mode 100644 index 0000000..7024f74 --- /dev/null +++ b/queries/windows/clear_windows_event_logs.yml @@ -0,0 +1,19 @@ +title: Clear Windows Event Logs +description: Detects the clearing of EventLogs through wevtutil (concise) as well + as Clear-EventLog through CommandLine and CommandScript objects. Powershell cmdlet + detection returns a lot of noise for the CommandScripts object, so filtering out + SrcProcParentName may be required. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1070 + subtechnique: 001 +operating_system: windows +query: (TgtProcName = "wevtutil.exe" AND TgtProcCmdLine ContainsCIS "cl ") OR ((SrcProcCmdLine + ContainsCIS "Clear-EventLog" OR SrcProcCmdScript ContainsCIS "Clear-EventLog") AND + SrcProcParentName Not In ("WmiPrvSE.exe","PFERemediation.exe","svchost.exe")) +false_positives: null +tags: null + diff --git a/queries/windows/cmstp.yml b/queries/windows/cmstp.yml new file mode 100644 index 0000000..789fb01 --- /dev/null +++ b/queries/windows/cmstp.yml @@ -0,0 +1,16 @@ +title: CMSTP +description: CMSTP is rarely used within my environment, so the below detection has + low false positives without filtering, though you may want to limit query to inf + files located in personal/writeable directories. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1218 + subtechnique: 003 +operating_system: windows +query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine RegExp "^.*\.(inf)" +false_positives: null +tags: null + diff --git a/queries/windows/compile_after_delivery.yml b/queries/windows/compile_after_delivery.yml new file mode 100644 index 0000000..604683b --- /dev/null +++ b/queries/windows/compile_after_delivery.yml @@ -0,0 +1,18 @@ +title: Compile After Delivery +description: Both Atomic tests for this technique leverage csc.exe for compilation + of code. The below will detect specific compilation of executables as well as dynamic + compilation through detection of csc.exe creating executable files (both dll and + exe). Filter noise from later portion of query using SrcProcParentName Not In (). +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1027 + subtechnique: 004 +operating_system: windows +query: (TgtProcName = "csc.exe" AND SrcProcCmdLine Contains "/target:exe") OR (SrcProcName = + "csc.exe" AND TgtFileIsExecutable = "true" AND SrcProcParentName Not In ("svchost.exe")) +false_positives: null +tags: null + diff --git a/queries/windows/compiled_html_file.yml b/queries/windows/compiled_html_file.yml new file mode 100644 index 0000000..9cd8606 --- /dev/null +++ b/queries/windows/compiled_html_file.yml @@ -0,0 +1,17 @@ +title: Compiled HTML File +description: Breaking down the below query, the first section will detect Atomic Test + 1 where a malicious chm file spawns a process, whereas the second half of the query + detects hh.exe loading a remote payloads. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1218 + subtechnique: 001 +operating_system: windows +query: (SrcProcName = "hh.exe" AND EventType = "Open Remote Process Handle") OR (SrcProcName + = "hh.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)") +false_positives: null +tags: null + diff --git a/queries/windows/cor_profiler.yml b/queries/windows/cor_profiler.yml new file mode 100644 index 0000000..7047025 --- /dev/null +++ b/queries/windows/cor_profiler.yml @@ -0,0 +1,16 @@ +title: COR Profiler +description: Detection of unmanaged COR profiler hooking of .NET CLR through registry + or process command. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion, Persistence, Privilege Escalation + technique: T1574 + subtechnique: 012 +operating_system: windows +query: (SrcProcCmdScript Contains "COR_" AND SrcProcCmdScript Contains "\Environment") + OR RegistryKeyPath Contains "COR_PROFILER_PATH" OR SrcProcCmdScript Contains "$env:COR_" +false_positives: null +tags: null + diff --git a/queries/windows/deobfuscate_or_decode_files.yml b/queries/windows/deobfuscate_or_decode_files.yml new file mode 100644 index 0000000..bccc1b2 --- /dev/null +++ b/queries/windows/deobfuscate_or_decode_files.yml @@ -0,0 +1,19 @@ +title: Deobfuscate or Decode Files +description: This Atomic tests detections of certutil encoding and decoding of executables, + and the replication of certutil for bypassing detection of executable encoding. + Our query below will detected renamed certutil through matching of DisplayName, + as well as encoding or decoding of exe files. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1140 + subtechnique: null +operating_system: windows +query: (TgtProcName != "certutil.exe" AND TgtProcDisplayName = "CertUtil.exe") OR + ( TgtProcDisplayName = "CertUtil.exe" AND (TgtProcCmdLine RegExp "^.*(-decode).*\.(exe)" + OR TgtProcCmdLine RegExp "^.*(-encode).*\.(exe)") ) +false_positives: null +tags: null + diff --git a/queries/windows/disable_defender_firewall.yml b/queries/windows/disable_defender_firewall.yml new file mode 100644 index 0000000..5f019b1 --- /dev/null +++ b/queries/windows/disable_defender_firewall.yml @@ -0,0 +1,14 @@ +title: Disable Defender Firewall +description: Detection on disabling Microsoft Defender Firewall. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1562 + subtechnique: 004 +operating_system: windows +query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "state off" +false_positives: null +tags: null + diff --git a/queries/windows/disable_iis_logging.yml b/queries/windows/disable_iis_logging.yml new file mode 100644 index 0000000..b88894c --- /dev/null +++ b/queries/windows/disable_iis_logging.yml @@ -0,0 +1,15 @@ +title: Disable IIS Logging +description: Detects disabling of IIS logging. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1562 + subtechnique: 002 +operating_system: windows +query: TgtProcName = "appcmd.exe" AND TgtProcCmdLine ContainsCIS "/dontLog:true" AND + TgtProcCmdLine ContainsCIS "/section:httplogging" +false_positives: null +tags: null + diff --git a/queries/windows/disable_microsoft_office_security_features.yml b/queries/windows/disable_microsoft_office_security_features.yml new file mode 100644 index 0000000..b546aaa --- /dev/null +++ b/queries/windows/disable_microsoft_office_security_features.yml @@ -0,0 +1,16 @@ +title: T1562.001 Disable Microsoft Office Security Features +description: Detects disabling of Microsoft Office Security features. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1562 + subtechnique: 001 +operating_system: windows +query: (RegistryKeyPath ContainsCIS "Excel\Security" OR RegistryKeyPath ContainsCIS + "Excel\Security\ProtectedView") AND RegistryKeyPath In Contains Anycase ("VBAWarnings","DisableInternetFilesInPV","DisableUnsafeLocationsInPV","DisableAttachementsInPV") + AND EventType In ("Registry Value Create","Registry Value Modified") +false_positives: null +tags: null + diff --git a/queries/windows/disable_sysmon.yml b/queries/windows/disable_sysmon.yml new file mode 100644 index 0000000..5ed6d88 --- /dev/null +++ b/queries/windows/disable_sysmon.yml @@ -0,0 +1,15 @@ +title: Disable Sysmon +description: Detection of disabling the Sysmon driver or service. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1562 + subtechnique: 001 +operating_system: windows +query: (TgtProcName = "fltmc.exe" AND TgtProcCmdLine ContainsCIS "unload SysmonDrv") + OR (TgtProcName = "sysmon.exe" AND TgtProcCmdLine ContainsCIS "-u") +false_positives: null +tags: null + diff --git a/queries/windows/dll_search_order_hijacking.yml b/queries/windows/dll_search_order_hijacking.yml new file mode 100644 index 0000000..095422c --- /dev/null +++ b/queries/windows/dll_search_order_hijacking.yml @@ -0,0 +1,15 @@ +title: DLL Search Order Hijacking +description: Detection of common DLL search order hijacks. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion, Persistence, Privilege Escalation + technique: T1574 + subtechnique: 001 +operating_system: windows +query: (FileFullName ContainsCIS "amsi.dll" AND FileFullName Does Not ContainCIS "System32") + AND EventType = "File Creation" +false_positives: null +tags: null + diff --git a/queries/windows/dll_side-loading_of_npp_gup.exe.yml b/queries/windows/dll_side-loading_of_npp_gup.exe.yml new file mode 100644 index 0000000..a54f090 --- /dev/null +++ b/queries/windows/dll_side-loading_of_npp_gup.exe.yml @@ -0,0 +1,16 @@ +title: DLL Side-Loading of Notepad++ GUP.exe +description: Detection for GUP.exe side-loading a dll, where executable has a display + name of "WinGup for Notepad++" and has non-standard source process. Keep an eye + on Cross Process events. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion, Persistence, Privilege Escalation + technique: T1574 + subtechnique: 002 +operating_system: windows +query: TgtProcDisplayName ContainsCIS "WinGup" and SrcProcName Not In ("notepad++.exe","explorer.exe","lsass.exe","csrss.exe","svchost.exe","WerFault.exe") +false_positives: null +tags: null + diff --git a/queries/windows/enable_guest_account_with_rdp_and_admin.yml b/queries/windows/enable_guest_account_with_rdp_and_admin.yml new file mode 100644 index 0000000..c663410 --- /dev/null +++ b/queries/windows/enable_guest_account_with_rdp_and_admin.yml @@ -0,0 +1,19 @@ +title: Enable Guest account with RDP and Admin +description: Detects enabling of Guest account, adding Guest account to groups, as + well as changing of Deny/Allow of Terminal Server connections through Registry changes. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Initial Access, Persistence, Privilege Escalation, Defense Evasion + technique: T1078 + subtechnique: 001 +operating_system: windows +query: (SrcProcCmdLine ContainsCIS "net localgroup" AND SrcProcCmdLine ContainsCIS + "guest /add") OR (SrcProcCmdLine ContainsCIS "net user" AND SrcProcCmdLine ContainsCIS + "/active:yes") OR (RegistryKeyPath In Contains ("Terminal Server\AllowTSConnections","Terminal + Server\DenyTSConnections") AND EventType In ("Registry Value Create","Registry Value + Modified")) +false_positives: null +tags: null + diff --git a/queries/windows/exchange_transport_agent_cmdlet_use.yml b/queries/windows/exchange_transport_agent_cmdlet_use.yml new file mode 100644 index 0000000..5911ad0 --- /dev/null +++ b/queries/windows/exchange_transport_agent_cmdlet_use.yml @@ -0,0 +1,16 @@ +title: Exchange Transport Agent Cmdlet Use +description: Detection of Powershell TransportAgent Cmdlets being used to setup an + Exchange Transport Agent. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Persistence + technique: T1505 + subtechnique: 002 +operating_system: windows +query: SrcProcCmdLine In Contains Anycase ("Install-TransportAgent","Enable-TransportAgent","Get-TransportAgent") + OR SrcProcCmdScript In Contains Anycase ("Install-TransportAgent","Enable-TransportAgent","Get-TransportAgent") +false_positives: null +tags: null + diff --git a/queries/windows/findstr_password_extraction.yml b/queries/windows/findstr_password_extraction.yml new file mode 100644 index 0000000..94c6225 --- /dev/null +++ b/queries/windows/findstr_password_extraction.yml @@ -0,0 +1,16 @@ +title: T1552.001 Findstr Password Extraction +description: Detection of content exfiltration of passwords within files using findstr.exe + or PowerShell's findstr. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Credential Access + technique: T1552 + subtechnique: 006 +operating_system: windows +query: TgtProcCmdLine ContainsCIS "/si pass" OR TgtProcCmdLine ContainsCIS "-pattern + password" +false_positives: null +tags: null + diff --git a/queries/windows/group_policy_preference_extraction.yml b/queries/windows/group_policy_preference_extraction.yml new file mode 100644 index 0000000..7963570 --- /dev/null +++ b/queries/windows/group_policy_preference_extraction.yml @@ -0,0 +1,17 @@ +title: Group Policy Preference Cred Extraction +description: Detection focuses on sysvol GP Policy xml file enumeration, with findstr + or Get-GPPPassword (Alias or CmdScript internal match). +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Credential Access + technique: T1552 + subtechnique: 006 +operating_system: windows +query: TgtProcCmdline RegExp "^.*\/S cpassword.*\\sysvol\\.*.xml" OR TgtProcCmdline + ContainsCIS "Get-GPPPassword" OR SrcProcCmdScript ContainsCIS "Get-ChildItem -Path + \"\\$Server\SYSVOL\" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'" +false_positives: null +tags: null + diff --git a/queries/windows/image_file_execution_debugger.yml b/queries/windows/image_file_execution_debugger.yml new file mode 100644 index 0000000..87d9909 --- /dev/null +++ b/queries/windows/image_file_execution_debugger.yml @@ -0,0 +1,17 @@ +title: Image File Execution Debugger +description: Detections addition of a debugger process to executables using Image + File Execution Options. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Privilege Escalation, Persistence + technique: T1546 + subtechnique: 008 +operating_system: windows +query: (RegistryKeyPath ContainsCIS "CurrentVersion\Image File Execution Options" + AND RegistryKeyPath ContainsCIS ".exe\Debugger") AND (EventType = "Registry Value + Create" OR EventType = "Registry Key Create") +false_positives: null +tags: null + diff --git a/queries/windows/image_file_execution_options_injection.yml b/queries/windows/image_file_execution_options_injection.yml new file mode 100644 index 0000000..6371916 --- /dev/null +++ b/queries/windows/image_file_execution_options_injection.yml @@ -0,0 +1,16 @@ +title: Image File Execution Options Injection +description: Detection of Image File Execution Options tampering for persistence through + Registry monitoring. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Privilege Escalation, Persistence + technique: T1546 + subtechnique: 012 +operating_system: windows +query: RegistryKeyPath In Contains Anycase ("CurrentVersion\Image File Execution Options","CurrentVersion\SilentProcessExit") + AND RegistryKeyPath In Contains Anycase ("GlobalFlag","ReportingMode","MonitorProcess") +false_positives: null +tags: null + diff --git a/queries/windows/inhibit_system_recovery.yml b/queries/windows/inhibit_system_recovery.yml new file mode 100644 index 0000000..8a6672a --- /dev/null +++ b/queries/windows/inhibit_system_recovery.yml @@ -0,0 +1,18 @@ +title: Inhibit System Recovery +description: Detects the use of vssadmin, wbadmin, bcdedit and powershell deletion + of shadowcopy content and disabling of system recovery. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Impact + technique: T1490 + subtechnique: null +operating_system: windows +query: TgtProcCmdLine In Contains Anycase ("delete shadows","shadowcopy delete","delete + catalog","recoveryenabled no") OR (TgtProcCmdLine ContainsCIS "Win32_ShadowCopy" + AND TgtProcCmdLine ContainsCIS "Delete()") OR (SrcProcCmdScript ContainsCIS "Win32_ShadowCopy" + AND SrcProcCmdScript ContainsCIS "Delete()") +false_positives: null +tags: null + diff --git a/queries/windows/invoke-maldoc.yml b/queries/windows/invoke-maldoc.yml new file mode 100644 index 0000000..ce31430 --- /dev/null +++ b/queries/windows/invoke-maldoc.yml @@ -0,0 +1,22 @@ +title: Invoke-MalDoc +description: This execution of macro code using Invoke-MalDoc triggers S1 T1027 Evasion + Indicator, so we could RegEx on IndicatorMetadata but that'd have noise. The query + should only be used for threat hunting, but it will detect Macro security settings + changes to the registry for Word and Excel as well as detecting COM objects within + ComandLine and CommandScript indicator objects. There may be a lot of results, focus + on Indicators and Command Scripts objects as they'll have less false positives. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Initial Access + technique: T1566 + subtechnique: 001 +operating_system: windows +query: (RegistryPath In Contains ("Word\Security\AccessVBOM","Excel\Security\AccessVBOM") + AND EventType In ("Registry Value Create","Registry Value Modified")) OR (SrcProcCmdLine + In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application") + OR SrcProcCmdScript In Contains Anycase ("ActiveVBProject.VBComponents","Word.Application","Excel.Application")) +false_positives: null +tags: null + diff --git a/queries/windows/kill_eventlog_service_threads.yml b/queries/windows/kill_eventlog_service_threads.yml new file mode 100644 index 0000000..43000f8 --- /dev/null +++ b/queries/windows/kill_eventlog_service_threads.yml @@ -0,0 +1,17 @@ +title: Kill Eventlog Service Threads +description: Detection is specific to Invoke-Phant0m strings as the test uses it, + and we're hoping to catch renamed and obfuscated versions by catching the TerminateThread + call. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1562 + subtechnique: 002 +operating_system: windows +query: SrcProcCmdLine ContainsCIS "Invoke-Phant0m" OR SrcProcCmdScript ContainsCIS + "$Kernel32::TerminateThread($getThread" OR SrcProcCmdScript ContainsCIS "Invoke-Phant0m" +false_positives: null +tags: null + diff --git a/queries/windows/lazagne_password_theft.yml b/queries/windows/lazagne_password_theft.yml new file mode 100644 index 0000000..8eda20e --- /dev/null +++ b/queries/windows/lazagne_password_theft.yml @@ -0,0 +1,17 @@ +title: LaZagne Password Theft +description: LaZagne happens to spawn 3 cmd shells to save security, system and sam + RegKeys, and the standard compiled release from github will have the original name + artifact of lazagne.exe.manifest within the %temp%_MEI?????\lazagne.exe.manifest + location. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Credential Access + technique: T1552 + subtechnique: 001 +operating_system: windows +query: TgtProcCmdline Contains "reg.exe save hklm\s" OR TgtFilePath Contains "lazagne.exe.manifest" +false_positives: null +tags: null + diff --git a/queries/windows/local_account_added_windows.yml b/queries/windows/local_account_added_windows.yml new file mode 100644 index 0000000..24f5fe4 --- /dev/null +++ b/queries/windows/local_account_added_windows.yml @@ -0,0 +1,16 @@ +title: Local Account Added Windows +description: Query below we'll query all instances of local accounts being created. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Persistence + technique: T1136 + subtechnique: 001 +operating_system: windows +query: SrcProcCmdLine In Contains Anycase ("net user /add","New-LocalUser") + OR SrcProcCmdLine RegExp "\bdscl\b.*\b/\create\b" OR SrcProcCmdLine RegExp "\bnet + localgroup administrators\b.*\b\/add\b" +false_positives: General account maintenance. +tags: null + diff --git a/queries/windows/logon_scripts_windows.yml b/queries/windows/logon_scripts_windows.yml new file mode 100644 index 0000000..99c4a35 --- /dev/null +++ b/queries/windows/logon_scripts_windows.yml @@ -0,0 +1,15 @@ +title: Logon Scripts Windows +description: Detects addition of logon scripts through command line or registry methods. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Persistence + technique: T1037 + subtechnique: 001 +operating_system: windows +query: SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR (RegistryKeyPath ContainsCIS + "UserInitMprLogonScript" AND EventType = "Registry Value Create") +false_positives: null +tags: null + diff --git a/queries/windows/lsa_secrets.yml b/queries/windows/lsa_secrets.yml new file mode 100644 index 0000000..33b3a21 --- /dev/null +++ b/queries/windows/lsa_secrets.yml @@ -0,0 +1,15 @@ +title: T1003.004 LSA Secrets +description: For simplicity, we're detecting a Cmdline used for both psexec (the test) + as well as direct reg.exe LSA extraction. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Credential Access + technique: T1003 + subtechnique: 004 +operating_system: windows +query: TgtProcCmdLine ContainsCIS "save HKLM\security\policy\secrets" +false_positives: null +tags: null + diff --git a/queries/windows/lsass_memory_dumping.yml b/queries/windows/lsass_memory_dumping.yml new file mode 100644 index 0000000..604c0c1 --- /dev/null +++ b/queries/windows/lsass_memory_dumping.yml @@ -0,0 +1,18 @@ +title: LSASS Memory Dumping +description: Detection of wce by hash, procdump, comsvc, dumpert, mimikatz, pypykatz, and werfault all in one query. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Credential Access + technique: T1003 + subtechnique: 001 +operating_system: windows +query: TgtProcImageSha1 = "f0c52cea19c204f5cdbe952cc7cfc182e20d8d43" OR TgtProcCmdline + ContainsCIS "-ma lsass.exe" OR TgtProcCmdline ContainsCIS "comsvcs.dll, MiniDump" + OR TgtFilePath = "C:\Windows\Temp\dumpert.dmp" OR TgtFilePath RegExp "^.*lsass.*.DMP" + OR (SrcProcCmdline ContainsCIS "sekurlsa::minidump" OR SrcProcCmdline ContainsCIS + "sekurlsa::logonpasswords") OR SrcProcCmdline ContainsCIS "live lsa" +false_positives: null +tags: null + diff --git a/queries/windows/malicious_documents.yml b/queries/windows/malicious_documents.yml new file mode 100644 index 0000000..b14f2c0 --- /dev/null +++ b/queries/windows/malicious_documents.yml @@ -0,0 +1,18 @@ +title: Malicious Documents +description: The tests for this technique overlap heavily with T1566.001 Spearphishing + Attachment due to similar download and macro detections, so here we're focusing + on detecting Office applications launching processes. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Execution + technique: T1204 + subtechnique: 002 +operating_system: windows +query: (SrcProcParentName In Contains ("WINWORD.EXE","EXCEL.EXE") AND SrcProcName + In Contains Anycase ("cmd.exe","cscript.exe","wscript.exe","certutil.exe","powershell.exe","msbuild.exe","csc.exe")) + OR IndicatorName = "SuspiciousDocument" +false_positives: Legit docs with macros. +tags: null + diff --git a/queries/windows/malicious_process_start_added_to_powershell_profile.yml b/queries/windows/malicious_process_start_added_to_powershell_profile.yml new file mode 100644 index 0000000..ff1177f --- /dev/null +++ b/queries/windows/malicious_process_start_added_to_powershell_profile.yml @@ -0,0 +1,18 @@ +title: Malicious Process Start Added to Powershell Profile +description: Detects the addition of process execution strings (TgtProcCmdLine In + Contains Anycase (list))to the powershell profile, through CommandLine and CommandScript + indicators. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Privilege Escalation, Persistence + technique: T1546 + subtechnique: 013 +operating_system: windows +query: (SrcProcCmdScript ContainsCIS "Add-Content $profile -Value" AND SrcProcCmdScript + ContainsCIS "Start-Process") OR (TgtProcCmdLine ContainsCIS "Add-Content $profile" + AND TgtProcCmdLine In Contains Anycase ("Start-Process","& ","cmd.exe /c")) +false_positives: null +tags: null + diff --git a/queries/windows/modified_sysinternals_accesschk_chrome_password_collector.yml b/queries/windows/modified_sysinternals_accesschk_chrome_password_collector.yml new file mode 100644 index 0000000..a171465 --- /dev/null +++ b/queries/windows/modified_sysinternals_accesschk_chrome_password_collector.yml @@ -0,0 +1,17 @@ +title: Modified SysInternals AccessChk Chrome password collector +description: To focus on detection, we're looking for AccessChk.exe where the DisplayName + does not match that of the original. There's 4X as many Cross_Process objects with + this query but none detect the collection of the Chrome password db. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Credential Access + technique: T1555 + subtechnique: 003 +operating_system: windows +query: TgtProcName = "accesschk.exe" AND TgtProcDisplayName != "Reports effective + permissions for securable objects" +false_positives: null +tags: null + diff --git a/queries/windows/modify_or_create_windows_service.yml b/queries/windows/modify_or_create_windows_service.yml new file mode 100644 index 0000000..d85da4d --- /dev/null +++ b/queries/windows/modify_or_create_windows_service.yml @@ -0,0 +1,15 @@ +title: Windows Service Creation Modification +description: Detects creation and modification of windows services through binPath + argument to sc.exe. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Persistence + technique: T1543 + subtechnique: 003 +operating_system: windows +query: TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath=" +false_positives: null +tags: null + diff --git a/queries/windows/mshta.yml b/queries/windows/mshta.yml new file mode 100644 index 0000000..6ccc8a2 --- /dev/null +++ b/queries/windows/mshta.yml @@ -0,0 +1,18 @@ +title: Mshta +description: SentinelOne happens to be pretty good at detecting MSHTA attacks, and + IndicatorName = "SuspiciousScript" specifically picks out these javascript based + attacks very well. The below query will detect mshta.exe spawning processes as well + as URLs for remote payloads to be loaded by mshta. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1218 + subtechnique: 005 +operating_system: windows +query: (SrcProcName = "mshta.exe" and EventType = "Open Remote Process Handle") OR + (SrcProcName = "mshta.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)") +false_positives: null +tags: null + diff --git a/queries/windows/msiexec_remote_msi.yml b/queries/windows/msiexec_remote_msi.yml new file mode 100644 index 0000000..5186b91 --- /dev/null +++ b/queries/windows/msiexec_remote_msi.yml @@ -0,0 +1,20 @@ +title: Msiexec Remote MSI +description: The below query will accurately detect execution of remote msi files + by msiexec.exe. The second half of the query aims to detect processes spawned by + msi files instead of dll files in the CommandLine (as that is very noisy) and may + return a bit of noise within for the CrossProcess Object as some auto-update processes + may be collected by this query. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1218 + subtechnique: 007 +operating_system: windows +query: ( SrcProcName = "msiexec.exe" AND SrcProcCmdLine RegExp "https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)" + ) OR (SrcProcName RegExp "^.*\.(tmp)" AND EventType = "Open Remote Process Handle" + AND SrcProcParentName = "msiexec.exe") +false_positives: null +tags: null + diff --git a/queries/windows/netsh_helper_dll.yml b/queries/windows/netsh_helper_dll.yml new file mode 100644 index 0000000..e460797 --- /dev/null +++ b/queries/windows/netsh_helper_dll.yml @@ -0,0 +1,17 @@ +title: Netsh Helper DLL +description: Detection of "helper" dlls with network command shell, through command + arguments or registry modification. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Privilege Escalation, Persistence + technique: T1546 + subtechnique: 007 +operating_system: windows +query: (TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add helper") OR + (RegistryPath ContainsCIS "SOFTWARE\Microsoft\NetSh" AND EventType = "Registry Value + Create") +false_positives: null +tags: null + diff --git a/queries/windows/non_windows_control_panel_item.yml b/queries/windows/non_windows_control_panel_item.yml new file mode 100644 index 0000000..be9d475 --- /dev/null +++ b/queries/windows/non_windows_control_panel_item.yml @@ -0,0 +1,19 @@ +title: Non-Windows Control Panel Item +description: The below query will find all cpl files outside standard directories + and all cpl files executed outside of Windows directories. First portion of query + may need to be dropped if there's too much noise in your environment. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1218 + subtechnique: 002 +operating_system: windows +query: (TgtFileExtension = "cpl" AND TgtFilePath Does Not ContainCIS "C:\Windows" + AND TgtFilePath Does Not ContainCIS "C:\Program Files" AND TgtFilePath Does Not + ContainCIS "C:\$WINDOWS.~BT") OR (SrcProcName = "control.exe" AND SrcProcCmdLine + ContainsCIS ".cpl" AND SrcProcCmdLine Does Not ContainCIS "C:\Windows") +false_positives: null +tags: null + diff --git a/queries/windows/ntds_copy.yml b/queries/windows/ntds_copy.yml new file mode 100644 index 0000000..a0ca1b0 --- /dev/null +++ b/queries/windows/ntds_copy.yml @@ -0,0 +1,18 @@ +title: NTDS Copy +description: We won't bother detecting VSS copies being created, rather detecting + credential file copies. NTDS.dit or SYSTEM whether a VSS copy or not. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Credential Access + technique: T1003 + subtechnique: 003 +operating_system: windows +query: SrcProcCmdline RegExp "^.*copy.*\\Windows\\NTDS\\NTDS.dit.*" OR SrcProcCmdline + RegExp "^.*copy.*\\Windows\\System32\\config\\SYSTEM .*" OR SrcProcCmdline ContainsCIS + "save HKLM\SYSTEM" OR (TgtProcName = "ntdsutil.exe" AND TgtProcCmdline ContainsCIS + "ac i ntds") OR (TgtProcName = "mklink.exe" and TgtProcCmdline RegExp "^.*\/[d,D].*GLOBALROOT\\Device\\HarddiskVolumeShadowCopy.*") +false_positives: null +tags: null + diff --git a/queries/windows/open_local_port_on_defender_firewall.yml b/queries/windows/open_local_port_on_defender_firewall.yml new file mode 100644 index 0000000..b451a2d --- /dev/null +++ b/queries/windows/open_local_port_on_defender_firewall.yml @@ -0,0 +1,15 @@ +title: Open Local Port on Defender Firewall +description: Detection of opening of local ports within Defender Firewall. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1562 + subtechnique: 004 +operating_system: windows +query: TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add rule" AND TgtProcCmdLine + ContainsCIS "dir=in" AND TgtProcCmdLine ContainsCIS "localport=" +false_positives: null +tags: null + diff --git a/queries/windows/parent_pid_spoofing.yml b/queries/windows/parent_pid_spoofing.yml new file mode 100644 index 0000000..ad5804e --- /dev/null +++ b/queries/windows/parent_pid_spoofing.yml @@ -0,0 +1,20 @@ +title: Parent PID Spoofing +description: Detects parent PID spoofing through Cross Process indicators (SrcProcParentName + limits scope heavily) as well as detecting the use of PPID-Spoof powershell script + through Command Scripts indicators. Update the TgtProcName list to filter noise. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion, Privilege Escalation + technique: T1134 + subtechnique: 004 +operating_system: windows +query: (TgtProcRelation = "not_in_storyline" AND EventType = "Open Remote Process + Handle" AND SrcProcParentName In Contains Anycase ("userinit.exe","powershell.exe","cmd.exe") + AND TgtProcName != "sihost.exe" And TgtProcIntegrityLevel != "LOW" AND TgtProcName + Not In ("SystemSettings.exe")) OR (SrcProcCmdScript ContainsCIS "PPID-Spoof" AND + SrcProcCmdScript ContainsCIS "hSpoofParent = [Kernel32]::OpenProcess") +false_positives: null +tags: null + diff --git a/queries/windows/pass_the_hash_and_pass_the_ticket.yml b/queries/windows/pass_the_hash_and_pass_the_ticket.yml new file mode 100644 index 0000000..366f094 --- /dev/null +++ b/queries/windows/pass_the_hash_and_pass_the_ticket.yml @@ -0,0 +1,15 @@ +title: Pass the Hash & Pass the Ticket +description: 'Detecting command line arguments of Mimikatz, so binary and powershell + mimikatz will be detected assuming arguments haven''t been modified before deployment. ' +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Lateral Movement + technique: T1550 + subtechnique: null +operating_system: windows +query: TgtProcCmdLine In Contains Anycase ("sekurlsa::pth","/ntlm:","kerberos::ptt") +false_positives: null +tags: null + diff --git a/queries/windows/powershell_gui_input_capture.yml b/queries/windows/powershell_gui_input_capture.yml new file mode 100644 index 0000000..3307b0f --- /dev/null +++ b/queries/windows/powershell_gui_input_capture.yml @@ -0,0 +1,17 @@ +title: PowerShell GUI Input Capture +description: Focusing here on detecting the Powershell UI.PromptForCredential and + GetNetworkCredential().Password in CmdScript or CmdLine. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Credential Access + technique: T1056 + subtechnique: 002 +operating_system: windows +query: (TgtProcCmdline ContainsCIS ".UI.PromptForCredential(" AND TgtProcCmdline ContainsCIS ".GetNetworkCredential().Password") + OR (SrcProcCmdScript ContainsCIS ".UI.PromptForCredential(" AND SrcProcCmdScript + ContainsCIS ".GetNetworkCredential().Password") +false_positives: null +tags: null + diff --git a/queries/windows/powershell_http_form_submission.yml b/queries/windows/powershell_http_form_submission.yml new file mode 100644 index 0000000..ef83e90 --- /dev/null +++ b/queries/windows/powershell_http_form_submission.yml @@ -0,0 +1,15 @@ +title: PowerShell HTTP Form Submission +description: Detection of powershell data POST and PUT with Invoke-WebRequest. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Exfiltration + technique: T1020 + subtechnique: null +operating_system: windows +query: SrcProcCmdLine ContainsCIS "Invoke-WebRequest" AND (SrcProcCmdLine ContainsCIS + "-Method Put" OR SrcProcCmdLine ContainsCIS "-Method Post") +false_positives: PowerShell HTTP form submissions. +tags: null + diff --git a/queries/windows/powershell_keylogging.yml b/queries/windows/powershell_keylogging.yml new file mode 100644 index 0000000..60b1f70 --- /dev/null +++ b/queries/windows/powershell_keylogging.yml @@ -0,0 +1,15 @@ +title: Powershell Keylogging +description: Detect Get-KeyStrokes invocation by alias or CmdScript line matching. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Credential Access + technique: T1056 + subtechnique: 001 +operating_system: windows +query: TgtProcCmdline ContainsCIS "Get-Keystrokes" OR SrcProcCmdScript ContainsCIS + "user32.dll GetAsyncKeyState" OR SrcProcCmdScript ContainsCIS "[Windows.Forms.Keys][Runtime.InteropServices.Marshal]::ReadInt32(" +false_positives: null +tags: null + diff --git a/queries/windows/powershell_maldoc.yml b/queries/windows/powershell_maldoc.yml new file mode 100644 index 0000000..098dcbd --- /dev/null +++ b/queries/windows/powershell_maldoc.yml @@ -0,0 +1,21 @@ +title: Powershell MalDoc +description: This test merely uses Powershell to download a maldoc, the below query + will find CommandLine or CommandScript downloads using multiple cradle methods as + documented here by HarmJ0y https://gist.github.com/HarmJ0y/bb48307ffa663256e239. + The below query should only be used for hunting purposes and covers most unobfuscated + powershell cradles. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Initial Access + technique: T1566 + subtechnique: 001 +operating_system: windows +query: (SrcProcCmdLine In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX + (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP") OR SrcProcCmdScript + In Contains Anycase ("Net.WebClient","(iwr","DownloadString(","WinHttp.WinHttpRequest","IEX + (","InternetExplorer.Application","Msxml2.XMLHTTP","MSXML2.ServerXMLHTTP")) +false_positives: null +tags: null + diff --git a/queries/windows/process_hollowing.yml b/queries/windows/process_hollowing.yml new file mode 100644 index 0000000..f489625 --- /dev/null +++ b/queries/windows/process_hollowing.yml @@ -0,0 +1,18 @@ +title: Process Hollowing +description: Detect Process Hollowing using the Start-Hollow powershell script, through + CommandLine and CommandScript indicators. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion, Privilege Escalation + technique: T1055 + subtechnique: 012 +operating_system: windows +query: '--- Detect Start-Hollow.ps1 by command or content + + (SrcProcCmdScript ContainsCIS "Start-Hollow" AND SrcProcCmdScript ContainsCIS "[Hollow]::NtQueryInformationProcess") + OR TgtProcCmdLine ContainsCIS "Start-Hollow"' +false_positives: null +tags: null + diff --git a/queries/windows/process_injection.yml b/queries/windows/process_injection.yml new file mode 100644 index 0000000..99f1ce6 --- /dev/null +++ b/queries/windows/process_injection.yml @@ -0,0 +1,17 @@ +title: T1055 Process Injection +description: Detects Process Injection through execution of MavInject, filtering out + noisy/expected activity. SrcProcParentName filter narrows Cross Process items to + HQ results. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion, Privilege Escalation + technique: T1055 + subtechnique: null +operating_system: windows +query: (TgtProcName = "mavinject.exe" AND TgtProcCmdLine ContainsCIS "/injectrunning") + AND (SrcProcName Not In ("AppVClient.exe") AND SrcProcParentName Not In ("smss.exe")) +false_positives: null +tags: null + diff --git a/queries/windows/rdp_hijacking.yml b/queries/windows/rdp_hijacking.yml new file mode 100644 index 0000000..b5f1c60 --- /dev/null +++ b/queries/windows/rdp_hijacking.yml @@ -0,0 +1,14 @@ +title: RDP Hijacking +description: Detects RDS and RemoteApp session redirections for lateral movement. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Lateral Movement + technique: T1563 + subtechnique: 002 +operating_system: windows +query: SrcProcName = "tscon.exe" AND SrcProcCmdLine ContainsCIS "/dest:" +false_positives: null +tags: null + diff --git a/queries/windows/registry_credential_enumeration.yml b/queries/windows/registry_credential_enumeration.yml new file mode 100644 index 0000000..4a351cb --- /dev/null +++ b/queries/windows/registry_credential_enumeration.yml @@ -0,0 +1,17 @@ +title: Registry Credential Enumeration +description: This query detects enumeration and discovery of credentials within the + Registry, including Putty sessions. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Credential Access + technique: T1552 + subtechnique: 002 +operating_system: windows +query: TgtProcCmdline ContainsCIS "query HKLM /f password /t REG_SZ /s" OR TgtProcCmdline + ContainsCIS "query HKCU /f password /t REG_SZ /s" OR TgtProcCmdline ContainsCIS + "query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s" +false_positives: null +tags: null + diff --git a/queries/windows/registry_run_keys.yml b/queries/windows/registry_run_keys.yml new file mode 100644 index 0000000..0d78ae5 --- /dev/null +++ b/queries/windows/registry_run_keys.yml @@ -0,0 +1,15 @@ +title: Registry Run Keys +description: Detecting on the addition of registry keys to Run, RunOnce, RunOnceEx keys where Parent Process isn't "trusted". +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Persistence + technique: T1547 + subtechnique: 001 +operating_system: windows +query: ( RegistryKeyPath ContainsCIS "Windows\CurrentVersion\Run" AND EventType = + "Registry Key Create" ) AND SrcProcParentName Not In ("smss.exe","svchost.exe","SetupHost.exe","OneDriveSetup.exe","WindowsUpdateBox.exe") +false_positives: null +tags: null + diff --git a/queries/windows/remove_amsi_provider_reg_key.yml b/queries/windows/remove_amsi_provider_reg_key.yml new file mode 100644 index 0000000..7006a79 --- /dev/null +++ b/queries/windows/remove_amsi_provider_reg_key.yml @@ -0,0 +1,15 @@ +title: Remove AMSI Provider Reg Key +description: Detection of removal of AMSI as system provider. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion + technique: T1562 + subtechnique: 001 +operating_system: windows +query: RegistryPath ContainsCIS "\Microsoft\AMSI\Providers" AND EventType In ("Registry + Key Delete","Registry Value Delete") +false_positives: null +tags: null + diff --git a/queries/windows/scheduled_tasks_creation.yml b/queries/windows/scheduled_tasks_creation.yml new file mode 100644 index 0000000..25cd351 --- /dev/null +++ b/queries/windows/scheduled_tasks_creation.yml @@ -0,0 +1,19 @@ +title: Scheduled Tasks Creation +description: Our goal with this query is to detect any schtasks /create command as + well as any use of the New-ScheduledTask* cmdlets from powershell, and to prevent + noise from services and updates we'll exclude a list of system "trusted" SrcProcParentName + executables. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Execution, Persistence + technique: T1053 + subtechnique: 005 +operating_system: windows +query: (( TgtProcName = "schtasks.exe" AND TgtProcCmdLine ContainsCIS "/create" ) + OR ( SrcProcCmdLine ContainsCIS "New-ScheduledTask" OR SrcProcCmdScript ContainsCIS + "New-ScheduledTask" )) AND SrcProcParentName Not In ("services.exe","OfficeClickToRun.exe") +false_positives: null +tags: null + diff --git a/queries/windows/scheduledtaskregister.yml b/queries/windows/scheduledtaskregister.yml new file mode 100644 index 0000000..037724a --- /dev/null +++ b/queries/windows/scheduledtaskregister.yml @@ -0,0 +1,15 @@ +title: ScheduledTaskRegister +description: Leveraging the ScheduleTaskRegister Indicator object for detection of + registered tasks. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Persistence + technique: T1053 + subtechnique: 005 +operating_system: windows +query: IndicatorName = "ScheduleTaskRegister" AND SrcProcParentName Not In ("Integrator.exe","OfficeClickToRun.exe","services.exe","OneDriveSetup.exe","Ccm32BitLauncher.exe","WmiPrvSE.exe") +false_positives: null +tags: null + diff --git a/queries/windows/screensaver_change.yml b/queries/windows/screensaver_change.yml new file mode 100644 index 0000000..acb3124 --- /dev/null +++ b/queries/windows/screensaver_change.yml @@ -0,0 +1,16 @@ +title: Screensaver Change +description: Detects malicious changes to screensaver through Registry changes, filtering + expected processes. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Persistence, Privilege Escalation + technique: T1546 + subtechnique: 002 +operating_system: windows +query: RegistryKeyPath ContainsCIS "Control Panel\Desktop\SCRNSAVE.EXE" AND (EventType + In ("Registry Value Create","Registry Value Modified") AND SrcProcName Not In ("svchost.exe","SetupHost.exe","CcmExec.exe")) +false_positives: null +tags: null + diff --git a/queries/windows/scripted_lateral_rdp.yml b/queries/windows/scripted_lateral_rdp.yml new file mode 100644 index 0000000..48d3552 --- /dev/null +++ b/queries/windows/scripted_lateral_rdp.yml @@ -0,0 +1,15 @@ +title: Scripted Lateral RDP +description: Query will catch use of cmdkey for authenticating RDP sessions (often used for automated lateral movement). +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Lateral Movement + technique: T1021 + subtechnique: 001 +operating_system: windows +query: TgtProcName = "cmdkey.exe" AND TgtProcCmdLine ContainsCIS "/generic:TERMSRV" + AND TgtProcCmdLine ContainsCIS "/user:" AND TgtProcCmdLine ContainsCIS "/pass:" +false_positives: null +tags: null + diff --git a/queries/windows/secure_delete_data_destruction.yml b/queries/windows/secure_delete_data_destruction.yml new file mode 100644 index 0000000..cd6c618 --- /dev/null +++ b/queries/windows/secure_delete_data_destruction.yml @@ -0,0 +1,14 @@ +title: Secure Delete Data Destruction +description: Detection of SDelete (by display name) and execution of DD command on *nix operating systems. Alternatively, DV 3.0 with 4.4 Agents will support TgtFileDeletionCount > "100" query for detection of over 100 files deleted, which can be combined with *FileType* for filtering. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Impact + technique: T1485 + subtechnique: null +operating_system: windows +query: TgtProcDisplayName = "Secure file delete" +false_positives: null +tags: null + diff --git a/queries/windows/security_support_provider.yml b/queries/windows/security_support_provider.yml new file mode 100644 index 0000000..922a030 --- /dev/null +++ b/queries/windows/security_support_provider.yml @@ -0,0 +1,18 @@ +title: Security Support Provider +description: Detection of changes to Security Support Provider through Registry modification. + Filters most standard system changes with SrcProcName Not In (list) but there will + be some noise from installers. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Privilege Escalation, Persistence + technique: T1547 + subtechnique: 005 +operating_system: windows +query: RegistryKeyPath ContainsCIS "\Control\Lsa\Security Packages" AND (SrcProcName + Not In ("services.exe","SetupHost.exe","svchost.exe") AND SrcProcCmdLine Does Not + ContainCIS "system32\wsauth.dll") +false_positives: null +tags: null + diff --git a/queries/windows/service_disable.yml b/queries/windows/service_disable.yml new file mode 100644 index 0000000..80f4c48 --- /dev/null +++ b/queries/windows/service_disable.yml @@ -0,0 +1,17 @@ +title: Service Disable +description: Detecting the disabling of services through sc.exe, wmic, and powershell Set-Service cmdlet. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Impact + technique: T1489 + subtechnique: null +operating_system: windows +query: (TgtProcName = "WMIC.exe" AND TgtProcCmdLine ContainsCIS "call ChangeStartmode + Disabled") OR (TgtProcName = "sc.exe" AND TgtProcCmdLine ContainsCIS "disabled") + OR (TgtProcCmdLine ContainsCIS "Set-Service" AND TgtProcCmdLine ContainsCIS "-StartupType + Disabled") +false_positives: Manual service toggling. +tags: null + diff --git a/queries/windows/service_start.yml b/queries/windows/service_start.yml new file mode 100644 index 0000000..7e5dea2 --- /dev/null +++ b/queries/windows/service_start.yml @@ -0,0 +1,15 @@ +title: Service Starting +description: Detection of sc.exe start or start-service. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Execution + technique: T1569 + subtechnique: 002 +operating_system: windows +query: (( SrcProcName = "sc.exe" AND SrcProcCmdLine ContainsCIS "create" ) OR SrcProcCmdLine + ContainsCIS "Start-Service" ) AND SrcProcParentName != "services.exe" +false_positives: Manual service actions. +tags: null + diff --git a/queries/windows/startup_folder.yml b/queries/windows/startup_folder.yml new file mode 100644 index 0000000..a510c4d --- /dev/null +++ b/queries/windows/startup_folder.yml @@ -0,0 +1,15 @@ +title: Startup Folder +description: Detect any vbs, jse or bat files being written to any Programs\StartUp folder, be that ProgramData or AppData locations. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Persistence + technique: T1547 + subtechnique: 001 +operating_system: windows +query: FileFullName ContainsCIS "Programs\Startup" AND FileType In Contains Anycase + ("vbs","jse","bat") AND EventType = "File Creation" +false_positives: null +tags: null + diff --git a/queries/windows/startup_shortcuts.yml b/queries/windows/startup_shortcuts.yml new file mode 100644 index 0000000..80096d0 --- /dev/null +++ b/queries/windows/startup_shortcuts.yml @@ -0,0 +1,16 @@ +title: Startup Shortcuts +description: Detection .lnk or .url files written to Startup folders. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Privilege Escalation, Persistence + technique: T1547 + subtechnique: 009 +operating_system: windows +query: (FileFullName ContainsCIS "Microsoft\Windows\Start Menu\Programs\Startup" AND + TgtFileExtension In Contains ("lnk","url") AND EventType = "File Creation") AND + SrcProcName Not In ("ONENOTE.EXE","msiexec.exe") +false_positives: Some application installs. +tags: null + diff --git a/queries/windows/unquoted_service_path_for_program.exe.yml b/queries/windows/unquoted_service_path_for_program.exe.yml new file mode 100644 index 0000000..6417a9c --- /dev/null +++ b/queries/windows/unquoted_service_path_for_program.exe.yml @@ -0,0 +1,16 @@ +title: Unquoted Service Path for program.exe +description: Detects creation or modification of the file at C:\program.exe for exploiting + unquoted services paths of Program Files folder. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Defense Evasion, Persistence, Privilege Escalation + technique: T1574 + subtechnique: 009 +operating_system: windows +query: (FileFullName = "C:\program.exe" AND EventType In ("File Creation","File Modification")) + OR TgtProcImagePath = "C:\program.exe" +false_positives: null +tags: null + diff --git a/queries/windows/vbs_execution_from_temp.yml b/queries/windows/vbs_execution_from_temp.yml new file mode 100644 index 0000000..b2a5062 --- /dev/null +++ b/queries/windows/vbs_execution_from_temp.yml @@ -0,0 +1,14 @@ +title: Visual Basic Execution From Temp +description: Detect execution of vbs files from any Temp\ directory to be more useful. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Execution + technique: T1059 + subtechnique: 005 +operating_system: windows +query: SrcProcName = "cscript.exe" AND SrcProcCmdLine RegExp "\bTemp\b.*\.(vbs)" +false_positives: null +tags: null + diff --git a/queries/windows/web_shell_creation.yml b/queries/windows/web_shell_creation.yml new file mode 100644 index 0000000..b35eec8 --- /dev/null +++ b/queries/windows/web_shell_creation.yml @@ -0,0 +1,17 @@ +title: Web Shell Creation +description: Generic web shell detection with filtering of possibly trusted sources + of noise. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Persistence + technique: T1505 + subtechnique: 003 +operating_system: windows +query: EventType = "File Creation" AND FileFullName ContainsCIS "inetpub\wwwroot" + AND TgtFileExtension In Contains Anycase ("jsp","aspx","php") AND SrcProcName Not + In ("explorer.exe","msdeploy.exe") +false_positives: null +tags: null + diff --git a/queries/windows/windows_command_shell.yml b/queries/windows/windows_command_shell.yml new file mode 100644 index 0000000..344f1af --- /dev/null +++ b/queries/windows/windows_command_shell.yml @@ -0,0 +1,15 @@ +title: Windows Command Shell +description: Query for bat files executed from temp directories where SrcProcParentName isn't an executable we want to filter. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Execution + technique: T1059 + subtechnique: 003 +operating_system: windows +query: (SrcProcName = "cmd.exe" AND FileFullName ContainsCIS "\Temp" AND FileType + = "bat") AND SrcProcParentName Not In ("msiexec.exe") +false_positives: null +tags: null + diff --git a/queries/windows/windows_logon_scripts.yml b/queries/windows/windows_logon_scripts.yml new file mode 100644 index 0000000..2888ba1 --- /dev/null +++ b/queries/windows/windows_logon_scripts.yml @@ -0,0 +1,14 @@ +title: Windows Logon Scripts +description: Detects addition of logon scripts through command line or registry methods. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Privilege Escalation + technique: T1037 + subtechnique: 001 +operating_system: windows +query: SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR (RegistryKeyPath ContainsCIS + "UserInitMprLogonScript" AND EventType = "Registry Value Create") +false_positives: null +tags: null \ No newline at end of file diff --git a/queries/windows/windows_management_instrumentation.yml b/queries/windows/windows_management_instrumentation.yml new file mode 100644 index 0000000..ed74f8f --- /dev/null +++ b/queries/windows/windows_management_instrumentation.yml @@ -0,0 +1,17 @@ +title: Windows Management Instrumentation +description: Detection query has been limited to wmic.exe, and focuses on discovery and execution + commandlines. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Execution + technique: T1047 + subtechnique: null +operating_system: windows +query: ( SrcProcName = "WMIC.exe" AND SrcProcCmdLine In Contains Anycase ("useraccount + get","process get","qfe get","service where","process call","call create") ) AND + SrcProcParentName Not In ("msiexec.exe") +false_positives: null +tags: null + diff --git a/queries/windows/windows_management_instrumentation_event_subscription.yml b/queries/windows/windows_management_instrumentation_event_subscription.yml new file mode 100644 index 0000000..11ae1c7 --- /dev/null +++ b/queries/windows/windows_management_instrumentation_event_subscription.yml @@ -0,0 +1,16 @@ +title: Windows Management Instrumentation Event Subscription +description: Detect WMI Event Subs using the New-CimInstance cmdlet, through CommandLine + and CommandScript indicators. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Privilege Escalation, Persistence + technique: T1546 + subtechnique: 003 +operating_system: windows +query: SrcProcCmdLine ContainsCIS "New-CimInstance -Namespace root/subscription" OR + SrcProcCmdScript ContainsCIS "New-CimInstance -Namespace root/subscription" +false_positives: null +tags: null + diff --git a/queries/windows/windows_remote_management.yml b/queries/windows/windows_remote_management.yml new file mode 100644 index 0000000..cc2845a --- /dev/null +++ b/queries/windows/windows_remote_management.yml @@ -0,0 +1,22 @@ +title: Windows Remote Management +description: The below query (in order) remote process executions through MMC, WMIC, + and PsExec (by name or display name). Also of note, there are only 3 tests documented + for this Atomic, yet there are 6 tests, so the below query focuses on detectability. + PsExec detection may have a lot of noise depending on your environment, and may + require additional filtering. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Lateral Movement + technique: T1021 + subtechnique: 006 +operating_system: windows +query: (TgtProcCmdLine ContainsCIS "GetTypeFromProgID(" AND TgtProcCmdLine ContainsCIS + "MMC20.application" AND TgtProcCmdLine ContainsCIS ".Document.ActiveView.ExecuteShellCommand(") + OR (TgtProcName = "wmic.exe" AND TgtProcCmdLine ContainsCIS "/node:" AND TgtProcCmdLine + ContainsCIS "process call create") OR ((SrcProcName ContainsCIS "psexec.exe" OR + SrcProcDisplayName = "Execute processes remotely") AND DstIp Is Not Empty) +false_positives: null +tags: null + diff --git a/queries/windows/windows_service_creation.yml b/queries/windows/windows_service_creation.yml new file mode 100644 index 0000000..8241cd7 --- /dev/null +++ b/queries/windows/windows_service_creation.yml @@ -0,0 +1,15 @@ +title: Windows Service Creation +description: Detects creation and modification of windows services through binPath + argument to sc.exe. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Privilege Escalation + technique: T1543 + subtechnique: 003 +operating_system: windows +query: TgtProcName = "sc.exe" AND TgtProcCmdLine Contains "binPath=" +false_positives: null +tags: null + diff --git a/queries/windows/windows_share_creation.yml b/queries/windows/windows_share_creation.yml new file mode 100644 index 0000000..44f4e27 --- /dev/null +++ b/queries/windows/windows_share_creation.yml @@ -0,0 +1,15 @@ +title: Windows Share Creation +description: Detecting the creation and use of Windows shares, may catch a lot of legitimate activity. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Lateral Movement + technique: T1021 + subtechnique: 002 +operating_system: windows +query: TgtProcCmdLine ContainsCIS "New-PSDrive" OR (TgtProcName = "net.exe" AND TgtProcCmdLine + ContainsCIS "use ") +false_positives: Share creations. +tags: null + diff --git a/queries/windows/winlogon_helper_dll.yml b/queries/windows/winlogon_helper_dll.yml new file mode 100644 index 0000000..e93b0fa --- /dev/null +++ b/queries/windows/winlogon_helper_dll.yml @@ -0,0 +1,18 @@ +title: Winlogon Helper DLL +description: Detects Winlogon Helper Dll changes through Registry MetadataIndicator + item, as it holds the full registry change info but will only return data of the + Indicators object type. +author: keyboardcrunch +date: 10/10/2020 +modified: null +mitre: + tactic: Privilege Escalation, Persistence + technique: T1547 + subtechnique: 004 +operating_system: windows +query: IndicatorMetadata In Contains Anycase ("Microsoft\Windows NT\CurrentVersion\Winlogon","Microsoft\Windows + NT\CurrentVersion\Winlogon\Notify") AND IndicatorMetadata In Contains Anycase ("logon","Userinit","Shell") + AND IndicatorMetadata Does Not ContainCIS "WINDOWS\system32\userinit.exe" +false_positives: null +tags: null +