diff --git a/rules/credentail_access_file_access_to_sam_database.yml b/rules/credentail_access_file_access_to_sam_database.yml index 3400ae5db..e8433c1ba 100644 --- a/rules/credentail_access_file_access_to_sam_database.yml +++ b/rules/credentail_access_file_access_to_sam_database.yml @@ -1,6 +1,6 @@ name: File access to SAM database id: e3dace20-4962-4381-884e-40dcdde66626 -version: 1.0.0 +version: 1.0.1 description: | Identifies access to the Security Account Manager on-disk database. labels: @@ -17,7 +17,7 @@ labels: condition: > open_file and - file.name imatches + file.path imatches ( '?:\\WINDOWS\\SYSTEM32\\CONFIG\\SAM', '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM', @@ -32,4 +32,4 @@ condition: > '?:\\Windows\\System32\\lsass.exe' ) -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml b/rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml index 1cd80fa79..2ad2fa726 100644 --- a/rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml +++ b/rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml @@ -1,6 +1,6 @@ name: LSASS memory dump preparation via SilentProcessExit id: d325e426-f89a-4f7c-b655-3874dad07986 -version: 1.0.0 +version: 1.0.1 description: | Adversaries may exploit the SilentProcessExit debugging technique to conduct LSASS memory dump via WerFault.exe (Windows Error Reporting) binary by creating @@ -27,8 +27,8 @@ references: condition: > modify_registry and - registry.key.name + registry.path imatches 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass*' -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/credential_access_lsass_memory_dump_via_wer.yml b/rules/credential_access_lsass_memory_dump_via_wer.yml index c9f19ab3f..999ede205 100644 --- a/rules/credential_access_lsass_memory_dump_via_wer.yml +++ b/rules/credential_access_lsass_memory_dump_via_wer.yml @@ -1,6 +1,6 @@ name: LSASS memory dump via Windows Error Reporting id: 7b4a74e2-c7a7-4c1f-b2ce-0e0273c3add7 -version: 1.0.0 +version: 1.0.1 description: | Adversaries may abuse Windows Error Reporting service to dump LSASS memory. The ALPC protocol can send a message to report an exception on LSASS and @@ -22,6 +22,6 @@ condition: > sequence maxspan 2m |spawn_process and ps.child.name in ('WerFault.exe', 'WerFaultSecure.exe')| by ps.child.uuid - |write_minidump_file and file.name icontains 'lsass'| by ps.uuid + |write_minidump_file and file.path icontains 'lsass'| by ps.uuid -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/credential_access_lsass_memory_dumping.yml b/rules/credential_access_lsass_memory_dumping.yml index e811dd2a2..659941689 100644 --- a/rules/credential_access_lsass_memory_dumping.yml +++ b/rules/credential_access_lsass_memory_dumping.yml @@ -1,6 +1,6 @@ name: LSASS memory dumping via legitimate or offensive tools id: 335795af-246b-483e-8657-09a30c102e63 -version: 1.0.0 +version: 1.0.1 description: | Detects an attempt to dump the LSAAS memory to the disk by employing legitimate tools such as procdump, Task Manager, Process Explorer or built-in Windows tools @@ -39,7 +39,7 @@ condition: > output: > Detected an attempt by `%1.ps.name` process to access and read the memory of the **Local Security And Authority Subsystem Service** - and subsequently write the `%2.file.name` dump file to the disk device + and subsequently write the `%2.file.path` dump file to the disk device severity: critical -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/credential_access_potential_sam_hive_dumping.yml b/rules/credential_access_potential_sam_hive_dumping.yml index d4653288a..82c81e218 100644 --- a/rules/credential_access_potential_sam_hive_dumping.yml +++ b/rules/credential_access_potential_sam_hive_dumping.yml @@ -1,6 +1,6 @@ name: Potential SAM hive dumping id: 2f326557-0291-4eb1-a87a-7a17b7d941cb -version: 1.0.0 +version: 1.0.1 description: Identifies access to the Security Account Manager registry hives. labels: @@ -30,10 +30,10 @@ condition: > | by ps.child.uuid |open_registry and - registry.key.name imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*' + registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*' and not - registry.key.name imatches + registry.path imatches ( 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users', 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names', @@ -68,4 +68,4 @@ condition: > ) | by ps.uuid -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/credential_access_suspicious_access_to_active_directory_domain_database.yml b/rules/credential_access_suspicious_access_to_active_directory_domain_database.yml index 2eafbeb5c..ceb485e9b 100644 --- a/rules/credential_access_suspicious_access_to_active_directory_domain_database.yml +++ b/rules/credential_access_suspicious_access_to_active_directory_domain_database.yml @@ -1,6 +1,6 @@ name: Suspicious access to Active Directory domain database id: a30c100e-28d0-4aa0-b98d-0d38025c2c29 -version: 1.0.0 +version: 1.0.1 description: | Detects suspicious access to the Active Directory domain database. Adversaries may attempt to access or create a copy of the Active Directory @@ -19,7 +19,7 @@ labels: condition: > open_file and - file.name imatches + file.path imatches ( '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\NTDS\\ntds.dit', '?:\\WINDOWS\\NTDS\\ntds.dit' @@ -32,4 +32,4 @@ condition: > '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe' ) -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/credential_access_suspicious_access_to_unattended_panther_files.yml b/rules/credential_access_suspicious_access_to_unattended_panther_files.yml index 46161beb4..ede8c4b9c 100644 --- a/rules/credential_access_suspicious_access_to_unattended_panther_files.yml +++ b/rules/credential_access_suspicious_access_to_unattended_panther_files.yml @@ -1,6 +1,6 @@ name: Suspicious access to Unattended Panther files id: d305fb15-6ad1-4d61-a84b-ada462f23a55 -version: 1.0.0 +version: 1.0.1 description: | Identifies suspicious to access to unattend.xml files where credentials are commonly stored within the Panther directory. Adversaries may search local @@ -19,7 +19,7 @@ labels: condition: > open_file and - file.name imatches + file.path imatches ( '?:\\Windows\\Panther\\Unattend\\Unattended.xml', '?:\\Windows\\Panther\\Unattend\\Unattend.xml', @@ -35,4 +35,4 @@ condition: > '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe' ) -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/credential_access_suspicious_access_to_windows_dpapi_master_keys.yml b/rules/credential_access_suspicious_access_to_windows_dpapi_master_keys.yml index 68548317f..6c66d9fa1 100644 --- a/rules/credential_access_suspicious_access_to_windows_dpapi_master_keys.yml +++ b/rules/credential_access_suspicious_access_to_windows_dpapi_master_keys.yml @@ -1,6 +1,6 @@ name: Suspicious access to Windows DPAPI Master Keys id: b1d5732a-5ad4-4cdd-8791-c22e34c591e5 -version: 1.0.0 +version: 1.0.1 description: | Detects suspicious processes accessing the Windows Data Protection API Master keys which is a sign of potential credential stealing. @@ -26,7 +26,7 @@ references: condition: > open_file and - file.name imatches + file.path imatches ( '?:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\Users\\*', '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\S-1-5-21*\\*', @@ -42,4 +42,4 @@ condition: > '?:\\Windows\\SysWOW64\\*' ) -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/credential_access_suspicious_access_to_windows_manager_files.yml b/rules/credential_access_suspicious_access_to_windows_manager_files.yml index 2740de80d..fbb042c4b 100644 --- a/rules/credential_access_suspicious_access_to_windows_manager_files.yml +++ b/rules/credential_access_suspicious_access_to_windows_manager_files.yml @@ -1,6 +1,6 @@ name: Suspicious access to Windows Credential Manager files id: 4ab688f7-94e2-481b-9c7f-c49f3a79a379 -version: 1.0.0 +version: 1.0.1 description: | Identifies suspicious processes trying to acquire credentials from the Windows Credential Manager. labels: @@ -17,7 +17,7 @@ labels: condition: > open_file and - file.name imatches + file.path imatches ( '?:\\Users\\*\\AppData\\*\\Microsoft\\Credentials\\*', '?:\\Windows\\System32\\config\\systemprofile\\AppData\\*\\Microsoft\\Credentials\\*' @@ -31,4 +31,4 @@ condition: > '?:\\Windows\\System32\\lsass.exe' ) -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/credential_access_suspicious_access_to_windows_vault_files.yml b/rules/credential_access_suspicious_access_to_windows_vault_files.yml index 7004a7f5d..1c0dffb93 100644 --- a/rules/credential_access_suspicious_access_to_windows_vault_files.yml +++ b/rules/credential_access_suspicious_access_to_windows_vault_files.yml @@ -1,6 +1,6 @@ name: Suspicious access to Windows Vault files id: 44400221-f98d-424a-9388-497c75b18924 -version: 1.0.0 +version: 1.0.1 description: | Identifies attempts from adversaries to acquire credentials from Vault files. labels: @@ -17,7 +17,7 @@ labels: condition: > open_file and - file.name imatches + file.path imatches ( '?:\\Users\\*\\AppData\\*\\Microsoft\\Vault\\*\\*', '?:\\ProgramData\\Microsoft\\Vault\\*' @@ -34,4 +34,4 @@ condition: > '?:\\Windows\\System32\\svchost.exe' ) -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/credential_access_unusual_access_to_ssh_keys.yml b/rules/credential_access_unusual_access_to_ssh_keys.yml index 26022293f..dc680d3ba 100644 --- a/rules/credential_access_unusual_access_to_ssh_keys.yml +++ b/rules/credential_access_unusual_access_to_ssh_keys.yml @@ -1,6 +1,6 @@ name: Unusual access to SSH keys id: 90f5c1bd-abd6-4d1b-94e0-229f04473d60 -version: 1.0.0 +version: 1.0.1 description: | Identifies access by unusual process to saved SSH keys. labels: @@ -17,7 +17,7 @@ labels: condition: > open_file and - file.name imatches '?:\\Users\\*\\.ssh\\known_hosts' + file.path imatches '?:\\Users\\*\\.ssh\\known_hosts' and not ps.exe imatches @@ -37,4 +37,4 @@ condition: > 'WinSCP.exe' ) -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml b/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml index 6351f3d0b..2cafbbbd1 100644 --- a/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml +++ b/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml @@ -1,6 +1,6 @@ name: Unusual access to Web Browser Credential stores id: 9d889b2b-ca13-4a04-8919-ff1151f23a71 -version: 1.0.0 +version: 1.0.1 description: | Identifies access to Web Browser Credential stores by unusual processes. labels: @@ -17,7 +17,7 @@ labels: condition: > open_file and - file.name imatches web_browser_cred_stores + file.path imatches web_browser_cred_stores and ps.name not iin web_browser_binaries and @@ -31,4 +31,4 @@ condition: > '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe' ) -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/credential_access_unusual_access_to_windows_credential_history.yml b/rules/credential_access_unusual_access_to_windows_credential_history.yml index df7b5e91f..f24a4ded0 100644 --- a/rules/credential_access_unusual_access_to_windows_credential_history.yml +++ b/rules/credential_access_unusual_access_to_windows_credential_history.yml @@ -1,6 +1,6 @@ name: Unusual access to Windows Credential history files id: 9d94062f-2cf3-407c-bd65-4072fe4b167f -version: 1.0.0 +version: 1.0.1 description: | Detects unusual accesses to the Windows Credential history file. The CREDHIST file contains all previous password-linked master key hashes used by @@ -20,7 +20,7 @@ labels: condition: > open_file and - file.name imatches '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\CREDHIST' + file.path imatches '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\CREDHIST' and not ps.exe imatches @@ -31,4 +31,4 @@ condition: > '?:\\Windows\\ccmcache\\*.exe' ) -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml b/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml index 7dbbfdda4..b91287c3d 100644 --- a/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml +++ b/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml @@ -1,6 +1,6 @@ name: AppDomain Manager injection via CLR search order hijacking id: 9319fafd-b7dc-4d85-b41a-54a8d4f1ab18 -version: 1.0.0 +version: 1.0.1 description: | Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies. The .NET framework uses the AppDomainManager class to create and manage one or more isolated runtime environments @@ -25,12 +25,12 @@ references: - https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/ condition: > - (load_unsigned_or_untrusted_module) and ((base(dir(image.name)) ~= base(image.name, false)) or (ps.envs[APPDOMAIN_MANAGER_ASM] istartswith base(image.name, false))) + (load_unsigned_or_untrusted_module) and ((base(dir(image.path)) ~= base(image.path, false)) or (ps.envs[APPDOMAIN_MANAGER_ASM] istartswith image.name)) and pe.is_dotnet and (image.is_dotnet or thread.callstack.symbols imatches ('clr.dll!ParseManifest*')) output: > - Process %ps.exe loaded untrusted .NET assembly %image.name from suspicious location + Process %ps.exe loaded untrusted .NET assembly %image.path from suspicious location severity: high -min-engine-version: 2.3.0 +min-engine-version: 2.4.0 diff --git a/rules/defense_evasion_clear_eventlog.yml b/rules/defense_evasion_clear_eventlog.yml index 4681bf654..7adfe1725 100644 --- a/rules/defense_evasion_clear_eventlog.yml +++ b/rules/defense_evasion_clear_eventlog.yml @@ -1,6 +1,6 @@ name: Clear Eventlog id: 692d3143-e1fb-4dab-8c9c-3109ff80ec85 -version: 1.0.1 +version: 1.0.2 description: | Identifies attempts to clear Windows event log stores. Adversaries attempt to evade detection or destroy forensic evidence on a system to cover their trails and slow down incident response. @@ -19,11 +19,11 @@ condition: > sequence maxspan 1m by file.object - |set_file_information and kevt.pid != 4 and file.info_class = 'EOF' and file.info.eof_size > 50000 and file.name imatches '?:\\Windows\\System32\\winevt\\Logs\\*.evtx'| + |set_file_information and kevt.pid != 4 and file.info_class = 'EOF' and file.info.eof_size > 50000 and file.path imatches '?:\\Windows\\System32\\winevt\\Logs\\*.evtx'| |set_file_information and file.info_class = 'Allocation' and file.info.allocation_size > 50000| output: > - Windows Eventlog store %1.file.name was cleared + Windows Eventlog store %1.file.path was cleared severity: medium -min-engine-version: 2.3.0 +min-engine-version: 2.4.0 diff --git a/rules/defense_evasion_dll_loaded_via_apc_queue.yml b/rules/defense_evasion_dll_loaded_via_apc_queue.yml index 07bab8437..80b0cfdf4 100644 --- a/rules/defense_evasion_dll_loaded_via_apc_queue.yml +++ b/rules/defense_evasion_dll_loaded_via_apc_queue.yml @@ -1,6 +1,6 @@ name: DLL loaded via APC queue id: e1ee3912-ad7c-4acb-80f4-84db87e54d5e -version: 1.0.0 +version: 1.0.1 description: | Identifies loading of a DLL with a callstack originating from the thread alertable state that led to the execution of an APC routine. This may be @@ -16,7 +16,7 @@ references: - https://github.com/Idov31/Cronos condition: > - load_dll and base(image.name) iin + load_dll and image.name iin ( 'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll', 'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll', @@ -30,4 +30,4 @@ condition: > and thread.callstack.symbols imatches ('KernelBase.dll!Sleep*') -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/defense_evasion_dll_loaded_via_callback_function.yml b/rules/defense_evasion_dll_loaded_via_callback_function.yml index 3f538919a..ff5aaf820 100644 --- a/rules/defense_evasion_dll_loaded_via_callback_function.yml +++ b/rules/defense_evasion_dll_loaded_via_callback_function.yml @@ -1,6 +1,6 @@ name: DLL loaded via a callback function id: c7f46d0a-10b2-421a-b33c-f4df79599f2e -version: 1.0.0 +version: 1.0.1 description: | Identifies module proxying as a method to conceal suspicious callstacks. Adversaries use module proxying the hide the origin of the LoadLibrary call from the callstack by loading the library from the callback @@ -20,7 +20,7 @@ condition: > sequence maxspan 2m |spawn_process| by ps.child.uuid - |load_dll and base(image.name) iin + |load_dll and image.name iin ( 'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll', 'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll', @@ -36,7 +36,7 @@ condition: > | by ps.uuid output: > - %2.image.name loaded from callback function by process %ps.exe + %2.image.path loaded from callback function by process %ps.exe severity: high -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/defense_evasion_dll_sideloading_via_copied_binary.yml b/rules/defense_evasion_dll_sideloading_via_copied_binary.yml index 03c0cfe6b..6b02811cf 100644 --- a/rules/defense_evasion_dll_sideloading_via_copied_binary.yml +++ b/rules/defense_evasion_dll_sideloading_via_copied_binary.yml @@ -1,6 +1,6 @@ name: DLL Side-Loading via a copied binary id: 80798e2c-6c37-472b-936c-1d2d6b95ff3c -version: 1.0.0 +version: 1.0.1 description: | Identifies when a binary is copied to a directory and shortly followed by the loading of an unsigned DLL from the same directory. Adversaries may @@ -23,12 +23,12 @@ condition: > |create_file and file.is_exec and ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and thread.callstack.symbols imatches ('*CopyFile*', '*MoveFile*') - | by file.name - |(load_dll) and dir(image.name) ~= dir(ps.exe) + | by file.path + |(load_dll) and dir(image.path) ~= dir(ps.exe) and pe.cert.subject icontains 'Microsoft' and pe.is_trusted and (image.signature.type = 'NONE' or image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED') | by ps.exe -min-engine-version: 2.2.0 +min-engine-version: 2.4.0 diff --git a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml index 3c1f987ba..430f03fa2 100644 --- a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml +++ b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml @@ -1,6 +1,6 @@ name: .NET assembly loaded by unmanaged process id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a -version: 1.0.1 +version: 1.0.2 description: | Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method. @@ -21,7 +21,7 @@ condition: > (image.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) and not - image.name imatches + image.path imatches ( '?:\\Windows\\assembly\\*\\*.ni.dll', '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll', @@ -35,7 +35,7 @@ condition: > ) output: > - .NET assembly %image.name loaded by unmanaged process %ps.exe + .NET assembly %image.path loaded by unmanaged process %ps.exe severity: high -min-engine-version: 2.3.0 +min-engine-version: 2.4.0 diff --git a/rules/defense_evasion_hidden_registry_key_creation.yml b/rules/defense_evasion_hidden_registry_key_creation.yml index e05933155..95b7daf18 100644 --- a/rules/defense_evasion_hidden_registry_key_creation.yml +++ b/rules/defense_evasion_hidden_registry_key_creation.yml @@ -1,6 +1,6 @@ name: Hidden registry key creation id: 65deda38-9b1d-42a0-9f40-a68903e81b49 -version: 1.1.0 +version: 1.1.1 description: | Identifies the creation of a hidden registry key. Adversaries can utilize the native NtSetValueKey API to create a hidden registry key and conceal payloads @@ -16,7 +16,7 @@ references: - https://github.com/outflanknl/SharpHide condition: > - set_value and kevt.pid != 4 and registry.key.name endswith '\\' + set_value and kevt.pid != 4 and registry.path endswith '\\' and thread.callstack.symbols imatches ('ntdll.dll!NtSetValueKey', 'ntdll.dll!ZwSetValueKey') and @@ -33,7 +33,7 @@ condition: > ) output: > - Hidden registry key %registry.key.name created by process %ps.exe + Hidden registry key %registry.path created by process %ps.exe severity: high -min-engine-version: 2.2.0 +min-engine-version: 2.4.0 diff --git a/rules/defense_evasion_process_execution_from_self_deleting_binary.yml b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml index d238a037f..ea5765955 100644 --- a/rules/defense_evasion_process_execution_from_self_deleting_binary.yml +++ b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml @@ -1,6 +1,6 @@ name: Process execution from a self-deleting binary id: 0f0da517-b22c-4d14-9adc-36baeb621cf7 -version: 1.0.0 +version: 1.0.1 description: | Identifies the execution of the process from a self-deleting binary. The attackers can abuse undocumented API functions to create a process from a file-backed section. The file @@ -24,7 +24,7 @@ condition: > |load_module| by image.name output: > - Process %2.image.name spawned from self-deleting binary + Process %2.image.path spawned from self-deleting binary severity: high -min-engine-version: 2.3.0 +min-engine-version: 2.4.0 diff --git a/rules/initial_access_execution_via_microsoft_office_process.yml b/rules/initial_access_execution_via_microsoft_office_process.yml index b5500e753..d5b166c1d 100644 --- a/rules/initial_access_execution_via_microsoft_office_process.yml +++ b/rules/initial_access_execution_via_microsoft_office_process.yml @@ -1,6 +1,6 @@ name: Execution via Microsoft Office process id: a10ebe66-1b55-4005-a374-840f1e2933a3 -version: 1.0.0 +version: 1.0.1 description: Identifies the execution of the file dropped by Microsoft Office process. labels: @@ -17,7 +17,7 @@ labels: condition: > sequence maxspan 1h - |create_file and (file.extension iin executable_extensions or file.is_exec) and ps.name iin msoffice_binaries| by file.name + |create_file and (file.extension iin executable_extensions or file.is_exec) and ps.name iin msoffice_binaries| by file.path |spawn_process and ps.name iin msoffice_binaries| by ps.child.exe -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml index 018737b1a..f08852f4b 100644 --- a/rules/macros/macros.yml +++ b/rules/macros/macros.yml @@ -207,7 +207,7 @@ '.dump' ) or - is_minidump(file.name) + is_minidump(file.path) ) description: | Detects a process writing the minidump file. Minidump files are used for crash diff --git a/rules/persistence_hidden_local_account_creation.yml b/rules/persistence_hidden_local_account_creation.yml index 7b7747bec..8afb80b87 100644 --- a/rules/persistence_hidden_local_account_creation.yml +++ b/rules/persistence_hidden_local_account_creation.yml @@ -1,6 +1,6 @@ name: Hidden local account creation id: bfa83754-3730-4c46-a0fd-cc71365f64df -version: 1.0.0 +version: 1.0.1 description: | Identifies the creation of a hidden local account. Adversaries can create hidden accounts by appending the dollar sign to the account name. This technique renders the account name hidden @@ -17,7 +17,7 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1136/001/ condition: > - set_value and registry.key.name imatches + set_value and registry.path imatches ( 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\', 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*$\\' @@ -25,4 +25,4 @@ condition: > severity: high -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml b/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml index f7efde2f4..ec3f5ae93 100644 --- a/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml +++ b/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml @@ -1,6 +1,6 @@ name: Network connection via startup folder executable or script id: 09b7278d-42e3-4792-9f00-dee38baecfad -version: 1.0.0 +version: 1.0.1 description: | Identifies the execution of unsigned binary or script from the Startup folder followed by network inbound or outbound connection. @@ -23,7 +23,7 @@ condition: > ( load_untrusted_executable and - image.name imatches startup_locations + image.path imatches startup_locations ) or ( @@ -36,4 +36,4 @@ condition: > | |((inbound_network) or (outbound_network)) and ps.cmdline imatches startup_locations| -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/persistence_rid_hijacking.yml b/rules/persistence_rid_hijacking.yml index 095620fc3..a4bb503b2 100644 --- a/rules/persistence_rid_hijacking.yml +++ b/rules/persistence_rid_hijacking.yml @@ -1,6 +1,6 @@ name: RID Hijacking id: 5c25666a-4a9f-4b7c-b02f-db0b5cdbde83 -version: 1.0.0 +version: 1.0.1 description: | RID (Relative ID part of security identifier) hijacking allows an attacker with SYSTEM level privileges to covertly replace the RID of a low privileged account effectively making @@ -17,11 +17,11 @@ references: - https://www.ired.team/offensive-security/persistence/rid-hijacking condition: > - set_value and registry.key.name imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*\\F' + set_value and registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\*\\F' and ps.sid in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and not ps.exe imatches '?:\\Windows\\System32\\lsass.exe' -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml b/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml index 496e808d0..ffa34b867 100644 --- a/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml +++ b/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml @@ -1,6 +1,6 @@ name: Script interpreter host or untrusted process persistence id: cc41ee3a-6e44-4903-85a4-0147ec6a7eea -version: 1.0.2 +version: 1.0.3 description: | Identifies the script interpreter or untrusted process writing to commonly abused run keys or the Startup folder locations. @@ -27,9 +27,9 @@ condition: > ) and ( - registry.key.name imatches registry_run_keys + registry.path imatches registry_run_keys or - file.name imatches startup_locations + file.path imatches startup_locations ) and not @@ -42,4 +42,4 @@ condition: > action: - name: kill -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/persistence_suspicious_microsoft_office_template.yml b/rules/persistence_suspicious_microsoft_office_template.yml index 2d44adcff..74d11a80a 100644 --- a/rules/persistence_suspicious_microsoft_office_template.yml +++ b/rules/persistence_suspicious_microsoft_office_template.yml @@ -1,6 +1,6 @@ name: Suspicious Microsoft Office template id: c4be3b30-9d23-4a33-b974-fb12e17487a2 -version: 1.0.0 +version: 1.0.1 description: | Detects when attackers drop macro-enabled files in specific folders to trigger their execution every time the victim user @@ -21,7 +21,7 @@ references: condition: > create_file and - file.name imatches + file.path imatches ( '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*', '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Templates\\*.dotm', @@ -41,6 +41,6 @@ condition: > ) output: > - Office template %file.name created by suspicious process %ps.exe + Office template %file.path created by suspicious process %ps.exe -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/persistence_suspicious_persistence_via_registry_modification.yml b/rules/persistence_suspicious_persistence_via_registry_modification.yml index 2bffeb6ef..8a2e3f692 100644 --- a/rules/persistence_suspicious_persistence_via_registry_modification.yml +++ b/rules/persistence_suspicious_persistence_via_registry_modification.yml @@ -1,6 +1,6 @@ name: Suspicious persistence via registry modification id: 1f496a17-4f0c-491a-823b-7a70adb9919c -version: 1.0.1 +version: 1.0.2 description: | Adversaries may abuse the registry to achieve persistence by modifying the keys that are unlikely modified by legitimate @@ -27,6 +27,6 @@ condition: > pe.is_signed = false or pe.is_trusted = false ) and - registry.key.name imatches registry_persistence_keys + registry.path imatches registry_persistence_keys -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/persistence_suspicious_startup_shell_folder_modification.yml b/rules/persistence_suspicious_startup_shell_folder_modification.yml index f6871d0fb..86c8b30f1 100644 --- a/rules/persistence_suspicious_startup_shell_folder_modification.yml +++ b/rules/persistence_suspicious_startup_shell_folder_modification.yml @@ -1,6 +1,6 @@ name: Suspicious Startup shell folder modification id: 7a4082f6-f7e3-49bd-9514-dbc8dd4e68ad -version: 1.0.0 +version: 1.0.1 description: | Detects when adversaries attempt to modify the default Startup folder path to to circumvent runtime rules that hunt for file @@ -19,7 +19,7 @@ labels: condition: > modify_registry and - registry.key.name imatches startup_shell_folder_registry_keys + registry.path imatches startup_shell_folder_registry_keys and not ( @@ -28,4 +28,4 @@ condition: > registry.value imatches ('%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup') ) -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/persistence_unusual_file_written_in_startup_folder.yml b/rules/persistence_unusual_file_written_in_startup_folder.yml index ef5c7f06a..8212203d9 100644 --- a/rules/persistence_unusual_file_written_in_startup_folder.yml +++ b/rules/persistence_unusual_file_written_in_startup_folder.yml @@ -1,6 +1,6 @@ name: Unusual file written in Startup folder id: c5ffe15c-d94f-416b-bec7-c47f89843267 -version: 1.0.0 +version: 1.0.1 description: | Identifies suspicious files written to the startup folder that would allow adversaries to maintain persistence on the endpoint. @@ -24,7 +24,7 @@ condition: > (file.is_exec or file.is_dll) ) and - file.name imatches startup_locations + file.path imatches startup_locations and not ps.exe imatches @@ -36,4 +36,4 @@ condition: > '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*.exe' ) -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/persistence_unusual_process_modified_registry_run_key.yml b/rules/persistence_unusual_process_modified_registry_run_key.yml index d7ff66961..055e8dee8 100644 --- a/rules/persistence_unusual_process_modified_registry_run_key.yml +++ b/rules/persistence_unusual_process_modified_registry_run_key.yml @@ -1,6 +1,6 @@ name: Unusual process modified registry run key id: 921508a5-b627-4c02-a295-6c6863c0897b -version: 1.0.0 +version: 1.0.1 description: | Identifies an attempt by unusual Windows native processes to modify the run key and gain persistence on users logons or machine reboots. @@ -20,7 +20,7 @@ condition: > and ps.exe imatches '?:\\Windows\\*' and - registry.key.name imatches registry_run_keys + registry.path imatches registry_run_keys and not ps.exe imatches @@ -46,4 +46,4 @@ condition: > '?:\\Windows\\System32\\backgroundTaskHost.exe' ) -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/privilege_escalation_potential_privilege_escalation_via_phantom_dll_hijacking.yml b/rules/privilege_escalation_potential_privilege_escalation_via_phantom_dll_hijacking.yml index c10d5148c..678885474 100644 --- a/rules/privilege_escalation_potential_privilege_escalation_via_phantom_dll_hijacking.yml +++ b/rules/privilege_escalation_potential_privilege_escalation_via_phantom_dll_hijacking.yml @@ -1,6 +1,6 @@ name: Potential privilege escalation via phantom DLL hijacking id: 5ccdb5c2-3a30-4e14-87d2-d7aeb4c45fad -version: 1.0.0 +version: 1.0.1 description: | Identifies the loading of the phantom DLL that was previously dropped to the System directory. Adversaries may exploit this flow to escalate @@ -27,7 +27,7 @@ references: condition: > sequence maxspan 10m - |create_file and file.name imatches + |create_file and file.path imatches ( '?:\\Windows\\System32\\wow64log.dll', '?:\\Windows\\wbemcomn.dll', @@ -44,7 +44,7 @@ condition: > '?:\\Windows\\System32\\Speech\\Engines\\TTS\\MSTTSLocEnUS.dll', '?:\\Windows\\System32\\DXGIDebug.dll' ) - | by file.name - |load_dll| by image.name + | by file.path + |load_dll| by image.path -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/privilege_escalation_vulnerable_or_malicious_driver_dropped.yml b/rules/privilege_escalation_vulnerable_or_malicious_driver_dropped.yml index bf202168b..c7198e1a4 100644 --- a/rules/privilege_escalation_vulnerable_or_malicious_driver_dropped.yml +++ b/rules/privilege_escalation_vulnerable_or_malicious_driver_dropped.yml @@ -1,6 +1,6 @@ name: Vulnerable or malicious driver dropped id: d4742163-cf68-4ebd-b9a2-3ad17bbf63d5 -version: 1.0.0 +version: 1.0.1 description: | Detects when adversaries drop a vulnerable/malicious driver onto a compromised system as a preparation for vulnerability @@ -21,6 +21,6 @@ condition: > (file.is_driver_vulnerable or file.is_driver_malicious) output: > - Vulnerable or malicious %file.name driver dropped + Vulnerable or malicious %file.path driver dropped -min-engine-version: 2.0.0 +min-engine-version: 2.4.0 diff --git a/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml b/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml index edfe6712a..c5db94e30 100644 --- a/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml +++ b/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml @@ -1,6 +1,6 @@ name: Vulnerable or malicious driver loaded id: e8005f1d-b4ec-45ee-a3ea-4247eac123db -version: 1.0.0 +version: 1.0.1 description: | Detects when adversaries load a vulnerable/malicious driver into the compromised system to exploit the vulnerability and @@ -21,6 +21,6 @@ condition: > (image.is_driver_vulnerable or image.is_driver_malicious) output: > - Vulnerable or malicious %image.name driver loaded + Vulnerable or malicious %image.path driver loaded -min-engine-version: 2.0.0 +min-engine-version: 2.4.0