Skip to content

Commit

Permalink
Merge PR #5106 from @nasbench - Add SID version of integrity levels
Browse files Browse the repository at this point in the history
chore: add SID version of IntegrityLevel
fix: Suspicious Process By Web Server Process - Fix typo in "ntdsutil" process name
  • Loading branch information
nasbench authored Dec 1, 2024
1 parent 6e71f6a commit 6048be5
Show file tree
Hide file tree
Showing 31 changed files with 127 additions and 78 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
author: Florian Roth (Nextron Systems)
date: 2019-11-20
modified: 2022-05-27
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1068
Expand All @@ -17,17 +17,18 @@ logsource:
category: process_creation
product: windows
detection:
selection:
selection_img:
ParentImage|endswith: '\consent.exe'
Image|endswith: '\iexplore.exe'
CommandLine|contains: ' http'
rights1:
IntegrityLevel: 'System' # for Sysmon users
rights2:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection and ( rights1 or rights2 )
selection_rights:
- IntegrityLevel:
- 'System' # for Sysmon users
- 'S-1-16-16384' # System
- User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: all of selection_*
falsepositives:
- Unknown
level: critical
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ references:
- https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/
author: Florian Roth (Nextron Systems)
date: 2021-11-22
modified: 2023-02-13
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1068
Expand All @@ -30,7 +30,9 @@ detection:
- 'pwsh.dll'
selection_parent:
ParentImage|endswith: '\elevation_service.exe'
IntegrityLevel: 'System'
IntegrityLevel:
- 'System'
- 'S-1-16-16384' # System
condition: all of selection_*
falsepositives:
- Unknown
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://streamable.com/q2dsji
author: Florian Roth (Nextron Systems), Maxime Thiebaut
date: 2021-08-23
modified: 2022-10-09
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1553
Expand All @@ -18,10 +18,12 @@ logsource:
detection:
selection:
ParentImage|endswith: '\RazerInstaller.exe'
IntegrityLevel: 'System'
filter:
IntegrityLevel:
- 'System'
- 'S-1-16-16384' # System
filter_main_razer:
Image|startswith: 'C:\Windows\Installer\Razer\Installer\'
condition: selection and not filter
condition: selection and not 1 of filter_main_*
falsepositives:
- User selecting a different installation folder (check for other sub processes of this explorer.exe process)
level: high
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ references:
- https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
author: frack113
date: 2022-12-09
modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.t1202
Expand All @@ -16,7 +17,9 @@ logsource:
category: process_creation
detection:
selection:
IntegrityLevel: 'High'
IntegrityLevel:
- 'High'
- 'S-1-16-12288'
CommandLine|contains|all:
- 'conhost.exe'
- '0xffffffff'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ references:
- https://twitter.com/_st0pp3r_/status/1583914244344799235
author: frack113
date: 2022-01-16
modified: 2024-03-13
modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.t1218.007
Expand Down Expand Up @@ -39,7 +39,9 @@ detection:
ParentImage|startswith: 'C:\Windows\Temp\'
filter_ccm:
ParentImage: 'C:\Windows\CCM\Ccm32BitLauncher.exe'
IntegrityLevel: 'System'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- WindowsApps installing updates via the quiet flag
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2023-01-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1574.011
Expand All @@ -16,7 +16,9 @@ logsource:
category: process_creation
detection:
selection:
IntegrityLevel: 'Medium'
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
CommandLine|contains|all:
- 'ControlSet'
- 'services'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://pentestlab.blog/2017/03/30/weak-service-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2022-07-14
modified: 2024-12-01
tags:
- attack.persistence
- attack.defense-evasion
Expand All @@ -19,7 +19,9 @@ logsource:
detection:
scbynonadmin:
Image|endswith: '\sc.exe'
IntegrityLevel: 'Medium'
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
selection_binpath:
CommandLine|contains|all:
- 'config'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ references:
- https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml
author: Swachchhanda Shrawan Poudel, Elastic (idea)
date: 2023-04-20
modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.persistence
Expand All @@ -30,7 +31,9 @@ detection:
filter_main_extension_xml:
CommandLine|contains: '.xml'
filter_main_system_process:
IntegrityLevel: 'System'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
filter_main_rundll32:
ParentImage|endswith: '\rundll32.exe'
ParentCommandLine|contains|all:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ references:
- https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md
author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
date: 2021-07-11
modified: 2023-02-09
modified: 2024-12-01
tags:
- attack.execution
- attack.t1203
Expand All @@ -18,7 +18,9 @@ logsource:
detection:
spoolsv:
ParentImage|endswith: '\spoolsv.exe'
IntegrityLevel: System
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
suspicious_unrestricted:
Image|endswith:
- '\gpupdate.exe'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020-10-13
modified: 2023-03-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
Expand All @@ -25,7 +25,9 @@ detection:
Image|endswith: 'tmp'
selection_image_2:
Image|endswith: '\msiexec.exe'
IntegrityLevel: 'System'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
filter_installer:
ParentImage: 'C:\Windows\System32\services.exe'
filter_repair:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ references:
- https://twitter.com/Cyb3rWard0g/status/1453123054243024897
author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
date: 2019-10-26
modified: 2022-12-15
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1134.002
Expand All @@ -32,7 +32,9 @@ detection:
- '\SYSTEM'
- '\Système'
- '\СИСТЕМА'
IntegrityLevel: 'System'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
filter_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|contains: 'DavSetCookie'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,38 +6,35 @@ references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
date: 2020-10-05
modified: 2022-07-07
modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
reg:
CommandLine|contains|all:
- 'reg '
- 'add'
powershell:
CommandLine|contains:
- 'powershell'
- 'set-itemproperty'
- ' sp '
- 'new-itemproperty'
select_data:
IntegrityLevel: 'Medium'
selection_cli:
- CommandLine|contains|all:
- 'reg '
- 'add'
- CommandLine|contains:
- 'powershell'
- 'set-itemproperty'
- ' sp '
- 'new-itemproperty'
selection_data:
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
CommandLine|contains|all:
- 'ControlSet'
- 'Services'
CommandLine|contains:
- 'ImagePath'
- 'FailureCommand'
- 'ServiceDLL'
condition: (reg or powershell) and select_data
fields:
- EventID
- IntegrityLevel
- CommandLine
condition: all of selection_*
falsepositives:
- Unknown
level: high
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modified: 2024-11-11
modified: 2024-12-01
tags:
- attack.credential-access
- attack.defense-evasion
Expand All @@ -20,7 +20,9 @@ logsource:
product: windows
detection:
selection:
IntegrityLevel: System
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,6 @@ detection:
- 'qwsu '
- 'uwdqs '
condition: all of selection*
fields:
- IntegrityLevel
- Product
- Description
- CommandLine
falsepositives:
- System administrator Usage
level: medium
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ references:
- https://twitter.com/Moti_B/status/909449115477659651
author: '@juju4'
date: 2022-12-27
modified: 2024-12-01
tags:
- attack.execution
logsource:
Expand All @@ -16,7 +17,9 @@ detection:
- Image|endswith: '\tscon.exe'
- OriginalFileName: 'tscon.exe'
selection_integrity:
IntegrityLevel: SYSTEM
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
condition: all of selection_*
falsepositives:
- Administrative activity
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ references:
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
Expand All @@ -23,6 +23,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
Expand All @@ -21,6 +21,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Nik Seetharaman, Christian Burkard (Nextron Systems)
date: 2019-07-31
modified: 2022-09-21
modified: 2024-12-01
tags:
- attack.execution
- attack.defense-evasion
Expand All @@ -33,6 +33,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
Expand Down
Loading

0 comments on commit 6048be5

Please sign in to comment.