Skip to content

Commit

Permalink
Merge PR #4774 from @nasbench - Fix and update multiple rules
Browse files Browse the repository at this point in the history
fix: EVTX Created In Uncommon Location - Reduce level and remove filters
fix: Files With System Process Name In Unsuspected Locations - Add additional paths
fix: New RUN Key Pointing to Suspicious Folder
new: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
new: MaxMpxCt Registry Value Changed
update: Potentially Suspicious CMD Shell Output Redirect - Enhance logic
update: Suspicious Command Patterns In Scheduled Task Creation - Enhance logic

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
  • Loading branch information
nasbench and phantinuss authored Mar 26, 2024
1 parent 0d63f52 commit f0395b8
Show file tree
Hide file tree
Showing 10 changed files with 129 additions and 72 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
title: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
id: eafb8bd5-7605-4bfe-a9ec-0442bc151f15
status: experimental
description: |
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
references:
- https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py
- https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024/03/20
tags:
- attack.initial_access
- cve.2024.1212
logsource:
category: webserver
detection:
selection_path:
cs-method: 'GET'
cs-uri-stem|contains|all:
- '/access/set'
- 'param=enableapi'
- 'value=1'
selection_keywords:
- 'Basic Jz'
- 'Basic c7'
- 'Basic nO'
- "Basic ';"
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,18 @@ related:
- id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
type: similar
status: test
description: Detects the use of the redirection character ">" to redicrect information in commandline
description: |
Detects the use of the redirection character ">" to redirect information on the command line.
This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
references:
- https://ss64.com/nt/syntax-redirection.html
author: frack113
date: 2022/01/22
modified: 2023/03/07
modified: 2024/03/19
tags:
- attack.discovery
- attack.t1082
- detection.threat_hunting
logsource:
category: process_creation
product: windows
Expand All @@ -22,12 +25,12 @@ detection:
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|contains: '>'
filter_idm_extension:
filter_optional_idm_extension:
CommandLine|contains:
- 'C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe'
- 'chrome-extension://'
- '\\.\pipe\chrome.nativeMessaging'
condition: all of selection_* and not 1 of filter_*
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment
level: low
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
title: EVTX Created In Uncommon Location
id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
status: experimental
description: Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls
description: |
Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
references:
- https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
author: D3F7A5105
date: 2023/01/02
modified: 2023/07/13
modified: 2024/03/26
tags:
- attack.defense_evasion
- attack.t1562.002
Expand All @@ -18,15 +21,12 @@ detection:
selection:
TargetFilename|endswith: '.evtx'
filter_main_path:
TargetFilename|contains: ':\Windows\System32\winevt\Logs\'
TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
filter_main_baseimage:
TargetFilename|contains: ':\ProgramData\Microsoft\Windows\Containers\BaseImages\'
TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
filter_main_generic_img:
Image|endswith:
- ':\Windows\explorer.exe'
- ':\Windows\system32\dllhost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrator or backup activity
level: high
- An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "<log_name">_<uuid>.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
level: medium
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,12 @@ id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
status: test
description: |
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
references:
- Internal Research
author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2020/05/26
modified: 2023/11/10
modified: 2024/03/18
tags:
- attack.defense_evasion
- attack.t1036.005
Expand Down Expand Up @@ -89,48 +90,38 @@ detection:
- '\WSReset.exe'
- '\WUDFHost.exe'
- '\WWAHost.exe'
filter_main_dism_tiworker:
filter_main_generic:
# Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
TargetFilename|contains:
- ':\Windows\SoftwareDistribution\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
- '\SystemRoot\System32\'
Image|endswith:
- '\Windows\System32\dism.exe'
- '\TiWorker.exe'
filter_main_setuphost:
TargetFilename|contains: ':\$WINDOWS.~BT\'
Image|endswith: ':\$WINDOWS.~BT\Sources\SetupHost.exe'
filter_main_wbengine:
TargetFilename|endswith: '\RuntimeBroker.exe'
Image|endswith: ':\Windows\system32\wbengine.exe'
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\uus\'
filter_main_svchost:
Image|endswith: ':\Windows\system32\svchost.exe'
TargetFilename|contains:
- ':\Windows\SoftwareDistribution\Download\'
- ':\Program Files\WindowsApps\'
Image|endswith: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains: 'C:\Program Files\WindowsApps\'
filter_main_wuauclt:
Image|endswith: ':\Windows\System32\wuauclt.exe'
Image|endswith: 'C:\Windows\System32\wuauclt.exe'
filter_main_explorer:
TargetFilename|endswith: ':\Windows\explorer.exe'
TargetFilename|endswith: 'C:\Windows\explorer.exe'
filter_main_msiexec:
# This filter handles system processes who are updated/installed using misexec.
Image|endswith: ':\WINDOWS\system32\msiexec.exe'
Image|endswith: 'C:\WINDOWS\system32\msiexec.exe'
# Add more processes if you find them or simply filter msiexec on its own. If the list grows big
TargetFilename|endswith:
- ':\Program Files\PowerShell\7\pwsh.exe'
- ':\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
filter_main_healtray:
TargetFilename|contains: ':\Windows\System32\SecurityHealth\'
TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
TargetFilename|endswith: '\SecurityHealthSystray.exe'
Image|endswith: '\SecurityHealthSetup.exe'
filter_main_wuaucltcore:
Image|contains: ':\Windows\uus\'
Image|endswith: '\wuaucltcore.exe'
TargetFilename|contains: ':\$WinREAgent\'
condition: selection and not 1 of filter_main_*
falsepositives:
- System processes copied outside their default folders for testing purposes
- Third party software naming their software with the same names as the processes mentioned here
level: high
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
title: Suspicious CMD Shell Output Redirect
title: Potentially Suspicious CMD Shell Output Redirect
id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
related:
- id: aa2efee7-34dd-446e-8a37-40790a66efd7
type: derived
- id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
type: similar
status: experimental
description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location
description: |
Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location.
This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/07/12
modified: 2023/05/15
modified: 2024/03/19
tags:
- attack.defense_evasion
- attack.t1218
Expand All @@ -24,24 +26,18 @@ detection:
- OriginalFileName: 'Cmd.Exe'
selection_cli_1:
CommandLine|contains:
# Add more suspicious locations as you find them
# The space from the start is missing to cover append operations ">>"
- '> \Users\Public\'
- '> %APPDATA%\'
- '> %TEMP%\'
- '> %TMP%\'
- '> %USERPROFILE%\'
- '> C:\Temp\'
- '> C:\Users\Public\'
- '> C:\Windows\Temp\'
- '>\Users\Public\'
- '>%APPDATA%\'
- '>%TEMP%\'
- '>%TMP%\'
- '>%USERPROFILE%\'
- '>C:\Temp\'
- '>C:\Users\Public\'
- '>C:\Windows\Temp\'
# Note: Add more suspicious locations as you find them
# Note: The space from the start is missing to cover append operations ">>"
# Note: We use the "?" to account for both a single and a double quote
# Note: If you want to account for more spaces which is still a valid bypass option. Use a regex with "\s"
- '>?%APPDATA%\'
- '>?%TEMP%\'
- '>?%TMP%\'
- '>?%USERPROFILE%\'
- '>?C:\ProgramData\'
- '>?C:\Temp\'
- '>?C:\Users\Public\'
- '>?C:\Windows\Temp\'
selection_cli_2:
CommandLine|contains:
- ' >'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ references:
- https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/09/02
modified: 2024/03/19
tags:
- attack.defense_evasion
- attack.t1562.001
Expand All @@ -17,7 +18,7 @@ logsource:
product: windows
detection:
selection_img:
- Image|endswith: 'reg.exe'
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_safeboot:
CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
author: Florian Roth (Nextron Systems)
date: 2022/02/23
modified: 2023/12/21
modified: 2024/03/19
tags:
- attack.execution
- attack.t1053.005
Expand Down Expand Up @@ -47,6 +47,10 @@ detection:
- 'mshta.exe http'
selection_anomaly_1:
CommandLine|contains:
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\'
- '%AppData%'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
title: Office Macros Auto-Enabled
title: Office Macros Warning Disabled
id: 91239011-fe3c-4b54-9f24-15c86bb65913
related:
- id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
Expand All @@ -11,7 +11,7 @@ references:
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020/05/22
modified: 2023/08/17
modified: 2024/03/19
tags:
- attack.defense_evasion
- attack.t1112
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
title: MaxMpxCt Registry Value Changed
id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e
status: experimental
description: |
Detects changes to the "MaxMpxCt" registry value.
MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
references:
- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
- https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024/03/19
tags:
- attack.defense_evasion
- attack.t1070.005
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Services\LanmanServer\Parameters\MaxMpxCt'
condition: selection
falsepositives:
- Unknown
level: low
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ references:
- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing
date: 2018/08/25
modified: 2023/12/11
modified: 2024/03/18
tags:
- attack.persistence
- attack.t1547.001
Expand All @@ -33,9 +33,12 @@ detection:
- '%Public%\'
- 'wscript'
- 'cscript'
condition: all of selection_*
fields:
- Image
filter_main_windows_update:
Image|startswith: 'C:\Windows\SoftwareDistribution\Download\'
Details|contains|all:
- 'rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32'
- 'C:\Windows\Temp\'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Software using weird folders for updates
level: high

0 comments on commit f0395b8

Please sign in to comment.