Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add SID version of integrity levels #5106

Merged
merged 1 commit into from
Dec 1, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
author: Florian Roth (Nextron Systems)
date: 2019-11-20
modified: 2022-05-27
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1068
Expand All @@ -17,17 +17,18 @@ logsource:
category: process_creation
product: windows
detection:
selection:
selection_img:
ParentImage|endswith: '\consent.exe'
Image|endswith: '\iexplore.exe'
CommandLine|contains: ' http'
rights1:
IntegrityLevel: 'System' # for Sysmon users
rights2:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection and ( rights1 or rights2 )
selection_rights:
- IntegrityLevel:
- 'System' # for Sysmon users
- 'S-1-16-16384' # System
- User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: all of selection_*
falsepositives:
- Unknown
level: critical
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ references:
- https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/
author: Florian Roth (Nextron Systems)
date: 2021-11-22
modified: 2023-02-13
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1068
Expand All @@ -30,7 +30,9 @@ detection:
- 'pwsh.dll'
selection_parent:
ParentImage|endswith: '\elevation_service.exe'
IntegrityLevel: 'System'
IntegrityLevel:
- 'System'
- 'S-1-16-16384' # System
condition: all of selection_*
falsepositives:
- Unknown
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://streamable.com/q2dsji
author: Florian Roth (Nextron Systems), Maxime Thiebaut
date: 2021-08-23
modified: 2022-10-09
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1553
Expand All @@ -18,10 +18,12 @@ logsource:
detection:
selection:
ParentImage|endswith: '\RazerInstaller.exe'
IntegrityLevel: 'System'
filter:
IntegrityLevel:
- 'System'
- 'S-1-16-16384' # System
filter_main_razer:
Image|startswith: 'C:\Windows\Installer\Razer\Installer\'
condition: selection and not filter
condition: selection and not 1 of filter_main_*
falsepositives:
- User selecting a different installation folder (check for other sub processes of this explorer.exe process)
level: high
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ references:
- https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
author: frack113
date: 2022-12-09
modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.t1202
Expand All @@ -16,7 +17,9 @@ logsource:
category: process_creation
detection:
selection:
IntegrityLevel: 'High'
IntegrityLevel:
- 'High'
- 'S-1-16-12288'
CommandLine|contains|all:
- 'conhost.exe'
- '0xffffffff'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ references:
- https://twitter.com/_st0pp3r_/status/1583914244344799235
author: frack113
date: 2022-01-16
modified: 2024-03-13
modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.t1218.007
Expand Down Expand Up @@ -39,7 +39,9 @@ detection:
ParentImage|startswith: 'C:\Windows\Temp\'
filter_ccm:
ParentImage: 'C:\Windows\CCM\Ccm32BitLauncher.exe'
IntegrityLevel: 'System'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- WindowsApps installing updates via the quiet flag
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2023-01-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1574.011
Expand All @@ -16,7 +16,9 @@ logsource:
category: process_creation
detection:
selection:
IntegrityLevel: 'Medium'
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
CommandLine|contains|all:
- 'ControlSet'
- 'services'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://pentestlab.blog/2017/03/30/weak-service-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2022-07-14
modified: 2024-12-01
tags:
- attack.persistence
- attack.defense-evasion
Expand All @@ -19,7 +19,9 @@ logsource:
detection:
scbynonadmin:
Image|endswith: '\sc.exe'
IntegrityLevel: 'Medium'
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
selection_binpath:
CommandLine|contains|all:
- 'config'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ references:
- https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml
author: Swachchhanda Shrawan Poudel, Elastic (idea)
date: 2023-04-20
modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.persistence
Expand All @@ -30,7 +31,9 @@ detection:
filter_main_extension_xml:
CommandLine|contains: '.xml'
filter_main_system_process:
IntegrityLevel: 'System'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
filter_main_rundll32:
ParentImage|endswith: '\rundll32.exe'
ParentCommandLine|contains|all:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ references:
- https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md
author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
date: 2021-07-11
modified: 2023-02-09
modified: 2024-12-01
tags:
- attack.execution
- attack.t1203
Expand All @@ -18,7 +18,9 @@ logsource:
detection:
spoolsv:
ParentImage|endswith: '\spoolsv.exe'
IntegrityLevel: System
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
suspicious_unrestricted:
Image|endswith:
- '\gpupdate.exe'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020-10-13
modified: 2023-03-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
Expand All @@ -25,7 +25,9 @@ detection:
Image|endswith: 'tmp'
selection_image_2:
Image|endswith: '\msiexec.exe'
IntegrityLevel: 'System'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
filter_installer:
ParentImage: 'C:\Windows\System32\services.exe'
filter_repair:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ references:
- https://twitter.com/Cyb3rWard0g/status/1453123054243024897
author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
date: 2019-10-26
modified: 2022-12-15
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1134.002
Expand All @@ -32,7 +32,9 @@ detection:
- '\SYSTEM'
- '\Système'
- '\СИСТЕМА'
IntegrityLevel: 'System'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
filter_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|contains: 'DavSetCookie'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,38 +6,35 @@ references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
date: 2020-10-05
modified: 2022-07-07
modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
reg:
CommandLine|contains|all:
- 'reg '
- 'add'
powershell:
CommandLine|contains:
- 'powershell'
- 'set-itemproperty'
- ' sp '
- 'new-itemproperty'
select_data:
IntegrityLevel: 'Medium'
selection_cli:
- CommandLine|contains|all:
- 'reg '
- 'add'
- CommandLine|contains:
- 'powershell'
- 'set-itemproperty'
- ' sp '
- 'new-itemproperty'
selection_data:
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
CommandLine|contains|all:
- 'ControlSet'
- 'Services'
CommandLine|contains:
- 'ImagePath'
- 'FailureCommand'
- 'ServiceDLL'
condition: (reg or powershell) and select_data
fields:
- EventID
- IntegrityLevel
- CommandLine
condition: all of selection_*
falsepositives:
- Unknown
level: high
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modified: 2024-11-11
modified: 2024-12-01
tags:
- attack.credential-access
- attack.defense-evasion
Expand All @@ -20,7 +20,9 @@ logsource:
product: windows
detection:
selection:
IntegrityLevel: System
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,6 @@ detection:
- 'qwsu '
- 'uwdqs '
condition: all of selection*
fields:
- IntegrityLevel
- Product
- Description
- CommandLine
falsepositives:
- System administrator Usage
level: medium
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ references:
- https://twitter.com/Moti_B/status/909449115477659651
author: '@juju4'
date: 2022-12-27
modified: 2024-12-01
tags:
- attack.execution
logsource:
Expand All @@ -16,7 +17,9 @@ detection:
- Image|endswith: '\tscon.exe'
- OriginalFileName: 'tscon.exe'
selection_integrity:
IntegrityLevel: SYSTEM
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
condition: all of selection_*
falsepositives:
- Administrative activity
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ references:
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
Expand All @@ -23,6 +23,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.privilege-escalation
Expand All @@ -21,6 +21,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ references:
- https://github.com/hfiref0x/UACME
author: Nik Seetharaman, Christian Burkard (Nextron Systems)
date: 2019-07-31
modified: 2022-09-21
modified: 2024-12-01
tags:
- attack.execution
- attack.defense-evasion
Expand All @@ -33,6 +33,8 @@ detection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
Expand Down
Loading
Loading