diff --git a/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml b/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml index 87ece1d91c7..c161099f221 100644 --- a/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml +++ b/rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml @@ -7,7 +7,7 @@ references: - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege author: Florian Roth (Nextron Systems) date: 2019-11-20 -modified: 2022-05-27 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1068 @@ -17,17 +17,18 @@ logsource: category: process_creation product: windows detection: - selection: + selection_img: ParentImage|endswith: '\consent.exe' Image|endswith: '\iexplore.exe' CommandLine|contains: ' http' - rights1: - IntegrityLevel: 'System' # for Sysmon users - rights2: - User|contains: # covers many language settings - - 'AUTHORI' - - 'AUTORI' - condition: selection and ( rights1 or rights2 ) + selection_rights: + - IntegrityLevel: + - 'System' # for Sysmon users + - 'S-1-16-16384' # System + - User|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + condition: all of selection_* falsepositives: - Unknown level: critical diff --git a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml index 90b5fb8cbdb..ba6f10f9950 100644 --- a/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml +++ b/rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml @@ -9,7 +9,7 @@ references: - https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/ author: Florian Roth (Nextron Systems) date: 2021-11-22 -modified: 2023-02-13 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1068 @@ -30,7 +30,9 @@ detection: - 'pwsh.dll' selection_parent: ParentImage|endswith: '\elevation_service.exe' - IntegrityLevel: 'System' + IntegrityLevel: + - 'System' + - 'S-1-16-16384' # System condition: all of selection_* falsepositives: - Unknown diff --git a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml index e44c7aef98f..725e9025d78 100644 --- a/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml +++ b/rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml @@ -7,7 +7,7 @@ references: - https://streamable.com/q2dsji author: Florian Roth (Nextron Systems), Maxime Thiebaut date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1553 @@ -18,10 +18,12 @@ logsource: detection: selection: ParentImage|endswith: '\RazerInstaller.exe' - IntegrityLevel: 'System' - filter: + IntegrityLevel: + - 'System' + - 'S-1-16-16384' # System + filter_main_razer: Image|startswith: 'C:\Windows\Installer\Razer\Installer\' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - User selecting a different installation folder (check for other sub processes of this explorer.exe process) level: high diff --git a/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml b/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml index 7e412b26610..d50a60c50d9 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml @@ -8,6 +8,7 @@ references: - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control author: frack113 date: 2022-12-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.t1202 @@ -16,7 +17,9 @@ logsource: category: process_creation detection: selection: - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'S-1-16-12288' CommandLine|contains|all: - 'conhost.exe' - '0xffffffff' diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml index fdf292ae355..9152850365a 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/_st0pp3r_/status/1583914244344799235 author: frack113 date: 2022-01-16 -modified: 2024-03-13 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.t1218.007 @@ -39,7 +39,9 @@ detection: ParentImage|startswith: 'C:\Windows\Temp\' filter_ccm: ParentImage: 'C:\Windows\CCM\Ccm32BitLauncher.exe' - IntegrityLevel: 'System' + IntegrityLevel: + - 'System' + - 'S-1-16-16384' condition: all of selection_* and not 1 of filter_* falsepositives: - WindowsApps installing updates via the quiet flag diff --git a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml index df0524ed9c2..5882e2661c8 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml @@ -7,7 +7,7 @@ references: - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ author: Teymur Kheirkhabarov date: 2019-10-26 -modified: 2023-01-30 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1574.011 @@ -16,7 +16,9 @@ logsource: category: process_creation detection: selection: - IntegrityLevel: 'Medium' + IntegrityLevel: + - 'Medium' + - 'S-1-16-8192' CommandLine|contains|all: - 'ControlSet' - 'services' diff --git a/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml b/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml index 1d3ea3bd064..740e1f8957b 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml @@ -7,7 +7,7 @@ references: - https://pentestlab.blog/2017/03/30/weak-service-permissions/ author: Teymur Kheirkhabarov date: 2019-10-26 -modified: 2022-07-14 +modified: 2024-12-01 tags: - attack.persistence - attack.defense-evasion @@ -19,7 +19,9 @@ logsource: detection: scbynonadmin: Image|endswith: '\sc.exe' - IntegrityLevel: 'Medium' + IntegrityLevel: + - 'Medium' + - 'S-1-16-8192' selection_binpath: CommandLine|contains|all: - 'config' diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml index a7d8db95a25..541d8fc096b 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml @@ -7,6 +7,7 @@ references: - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml author: Swachchhanda Shrawan Poudel, Elastic (idea) date: 2023-04-20 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.persistence @@ -30,7 +31,9 @@ detection: filter_main_extension_xml: CommandLine|contains: '.xml' filter_main_system_process: - IntegrityLevel: 'System' + IntegrityLevel: + - 'System' + - 'S-1-16-16384' filter_main_rundll32: ParentImage|endswith: '\rundll32.exe' ParentCommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml index e34e32611c9..c18c736d7de 100644 --- a/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml @@ -6,7 +6,7 @@ references: - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) date: 2021-07-11 -modified: 2023-02-09 +modified: 2024-12-01 tags: - attack.execution - attack.t1203 @@ -18,7 +18,9 @@ logsource: detection: spoolsv: ParentImage|endswith: '\spoolsv.exe' - IntegrityLevel: System + IntegrityLevel: + - 'System' + - 'S-1-16-16384' suspicious_unrestricted: Image|endswith: - '\gpupdate.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml index ef7734a59da..8e4efb8d4c8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml @@ -6,7 +6,7 @@ references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020-10-13 -modified: 2023-03-23 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1548.002 @@ -25,7 +25,9 @@ detection: Image|endswith: 'tmp' selection_image_2: Image|endswith: '\msiexec.exe' - IntegrityLevel: 'System' + IntegrityLevel: + - 'System' + - 'S-1-16-16384' filter_installer: ParentImage: 'C:\Windows\System32\services.exe' filter_repair: diff --git a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml index ca37a85689d..1234c122754 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml @@ -9,7 +9,7 @@ references: - https://twitter.com/Cyb3rWard0g/status/1453123054243024897 author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) date: 2019-10-26 -modified: 2022-12-15 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.t1134.002 @@ -32,7 +32,9 @@ detection: - '\SYSTEM' - '\Système' - '\СИСТЕМА' - IntegrityLevel: 'System' + IntegrityLevel: + - 'System' + - 'S-1-16-16384' filter_rundll32: Image|endswith: '\rundll32.exe' CommandLine|contains: 'DavSetCookie' diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml index d4da3213073..a5e46c532b5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml @@ -6,7 +6,7 @@ references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community date: 2020-10-05 -modified: 2022-07-07 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.t1112 @@ -14,18 +14,19 @@ logsource: category: process_creation product: windows detection: - reg: - CommandLine|contains|all: - - 'reg ' - - 'add' - powershell: - CommandLine|contains: - - 'powershell' - - 'set-itemproperty' - - ' sp ' - - 'new-itemproperty' - select_data: - IntegrityLevel: 'Medium' + selection_cli: + - CommandLine|contains|all: + - 'reg ' + - 'add' + - CommandLine|contains: + - 'powershell' + - 'set-itemproperty' + - ' sp ' + - 'new-itemproperty' + selection_data: + IntegrityLevel: + - 'Medium' + - 'S-1-16-8192' CommandLine|contains|all: - 'ControlSet' - 'Services' @@ -33,11 +34,7 @@ detection: - 'ImagePath' - 'FailureCommand' - 'ServiceDLL' - condition: (reg or powershell) and select_data -fields: - - EventID - - IntegrityLevel - - CommandLine + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 05427278224..8ddc2570925 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -7,7 +7,7 @@ references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) date: 2021-12-20 -modified: 2024-11-11 +modified: 2024-12-01 tags: - attack.credential-access - attack.defense-evasion @@ -20,7 +20,9 @@ logsource: product: windows detection: selection: - IntegrityLevel: System + IntegrityLevel: + - 'System' + - 'S-1-16-16384' User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml index b744b889649..52606b4428d 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml @@ -31,11 +31,6 @@ detection: - 'qwsu ' - 'uwdqs ' condition: all of selection* -fields: - - IntegrityLevel - - Product - - Description - - CommandLine falsepositives: - System administrator Usage level: medium diff --git a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml index da3c8b1ad66..23ba274be70 100644 --- a/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml +++ b/rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/Moti_B/status/909449115477659651 author: '@juju4' date: 2022-12-27 +modified: 2024-12-01 tags: - attack.execution logsource: @@ -16,7 +17,9 @@ detection: - Image|endswith: '\tscon.exe' - OriginalFileName: 'tscon.exe' selection_integrity: - IntegrityLevel: SYSTEM + IntegrityLevel: + - 'System' + - 'S-1-16-16384' condition: all of selection_* falsepositives: - Administrative activity diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml index e35de890eca..baa7cabea9c 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml @@ -8,7 +8,7 @@ references: - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -23,6 +23,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml index 54431028ce1..ebc11bec2c6 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -21,6 +21,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml index e57df597952..e78e952d8d2 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml @@ -9,7 +9,7 @@ references: - https://github.com/hfiref0x/UACME author: Nik Seetharaman, Christian Burkard (Nextron Systems) date: 2019-07-31 -modified: 2022-09-21 +modified: 2024-12-01 tags: - attack.execution - attack.defense-evasion @@ -33,6 +33,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Legitimate CMSTP use (unlikely in modern enterprise environments) diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml index 0163e1ac983..b5c009b3a1f 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-31 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -19,6 +19,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High Image: 'C:\Windows\System32\ComputerDefaults.exe' filter: ParentImage|contains: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml index e21dee1e9b0..959e21ec5ac 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -21,6 +21,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml index 8250a092d05..5ec3876d27c 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -23,6 +23,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml index 05ecaa8ee28..a9b10889056 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml @@ -6,6 +6,7 @@ references: - https://github.com/Wh04m1001/IDiagnosticProfileUAC author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-03 +modified: 2024-12-01 tags: - attack.execution - attack.defense-evasion @@ -21,6 +22,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml index da0fa174b2a..b0590e33dee 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -19,6 +19,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High ParentImage|endswith: '\ieinstal.exe' Image|contains: '\AppData\Local\Temp\' Image|endswith: 'consent.exe' diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml index 52bec8124ed..0a4eaa08db0 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -19,6 +19,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe' CommandLine: '"C:\Windows\system32\msconfig.exe" -5' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml index dfe8b47398f..3db306a9b2a 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -21,6 +21,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High selection2: ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck' IntegrityLevel: diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml index 523d2be04ec..a57e45efe4d 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -21,6 +21,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml index 77976a2efbd..276326a63b2 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml @@ -7,7 +7,7 @@ references: - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 -modified: 2023-02-14 +modified: 2024-12-01 tags: - attack.privilege-escalation - attack.defense-evasion @@ -18,7 +18,9 @@ logsource: detection: selection: Image|endswith: 'sdclt.exe' - IntegrityLevel: 'High' + IntegrityLevel: + - 'High' + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml index c230f475e9a..2889f4f0f31 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-30 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -19,6 +19,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe' ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml index a365002b800..dda9e21e4f2 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -15,18 +15,18 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_img_1: Image: 'C:\Program Files\Windows Media Player\osk.exe' - IntegrityLevel: - - 'High' - - 'System' - selection2: + selection_img_2: Image: 'C:\Windows\System32\cmd.exe' ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' + selection_integrity: IntegrityLevel: - 'High' - 'System' - condition: 1 of selection* + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High + condition: 1 of selection_img_* and selection_integrity falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml index 2e139752a3b..960e395d83b 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml @@ -8,7 +8,7 @@ references: - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf author: Christian Burkard (Nextron Systems) date: 2021-08-23 -modified: 2022-10-09 +modified: 2024-12-01 tags: - attack.defense-evasion - attack.privilege-escalation @@ -22,6 +22,8 @@ detection: IntegrityLevel: - 'High' - 'System' + - 'S-1-16-16384' # System + - 'S-1-16-12288' # High condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml index 476809f3cf0..0fdc959f89e 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml @@ -7,7 +7,7 @@ references: - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2019-01-16 -modified: 2023-11-11 +modified: 2024-11-26 tags: - attack.persistence - attack.t1505.003 @@ -59,7 +59,7 @@ detection: - '\netdom.exe' - '\netsh.exe' - '\nltest.exe' - - '\ntdutil.exe' + - '\ntdsutil.exe' - '\powershell_ise.exe' - '\powershell.exe' - '\pwsh.exe'