diff --git a/yml/OSBinaries/At.yml b/yml/OSBinaries/At.yml index 8794dfc7d..6fb7a7768 100644 --- a/yml/OSBinaries/At.yml +++ b/yml/OSBinaries/At.yml @@ -20,6 +20,9 @@ Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/builtin/security/win_security_atsvc_task.yml + - Splunk: https://research.splunk.com/endpoint/7bc20606-5f40-11ec-a586-acde48001122/ + - Splunk: https://research.splunk.com/endpoint/4be54858-432f-11ec-8209-3e22fbd008af/ + - Splunk: https://research.splunk.com/endpoint/bf0a378e-5f3c-11ec-a6de-acde48001122/ - IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job) - IOC: C:\Windows\Tasks\At1.job - IOC: Registry Key - Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. diff --git a/yml/OSBinaries/Bitsadmin.yml b/yml/OSBinaries/Bitsadmin.yml index f65b2137c..cbebafc66 100644 --- a/yml/OSBinaries/Bitsadmin.yml +++ b/yml/OSBinaries/Bitsadmin.yml @@ -40,6 +40,7 @@ Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/bitsadmin_download_file.yml + - Splunk: https://research.splunk.com/endpoint/80630ff4-8e4c-11eb-aab5-acde48001122/ - IOC: Child process from bitsadmin.exe - IOC: bitsadmin creates new files - IOC: bitsadmin adds data to alternate data stream diff --git a/yml/OSBinaries/Certutil.yml b/yml/OSBinaries/Certutil.yml index d575e6e65..c0401aacc 100644 --- a/yml/OSBinaries/Certutil.yml +++ b/yml/OSBinaries/Certutil.yml @@ -67,6 +67,9 @@ Detection: - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml - Splunk: https://github.com/splunk/security_content/blob/3f77e24974239fcb7a339080a1a483e6bad84a82/detections/endpoint/certutil_with_decode_argument.yml + - Splunk: https://research.splunk.com/endpoint/801ad9e4-8bfb-11eb-8b31-acde48001122/ + - Splunk: https://research.splunk.com/endpoint/415b4306-8bfb-11eb-85c4-acde48001122/ + - Splunk: https://research.splunk.com/endpoint/bfe94226-8c10-11eb-a4b3-acde48001122/ - IOC: Certutil.exe creating new files on disk - IOC: Useragent Microsoft-CryptoAPI/10.0 - IOC: Useragent CertUtil URL Agent diff --git a/yml/OSBinaries/Cmd.yml b/yml/OSBinaries/Cmd.yml index 8586dc11c..7f5d74ade 100644 --- a/yml/OSBinaries/Cmd.yml +++ b/yml/OSBinaries/Cmd.yml @@ -39,6 +39,10 @@ Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_ads_file_creation.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml + - Splunk: https://research.splunk.com/endpoint/dcfd6b40-42f9-469d-a433-2e53f7486664/ + - Splunk: https://research.splunk.com/endpoint/54a6ed00-3256-11ec-b031-acde48001122/ + - Splunk: https://research.splunk.com/endpoint/eb277ba0-b96b-11eb-b00e-acde48001122/ + - Splunk: https://research.splunk.com/endpoint/b89919ed-fe5f-492c-b139-95dbb162039e/ - IOC: cmd.exe executing files from alternate data streams. - IOC: cmd.exe creating/modifying file contents in an alternate data stream. Resources: diff --git a/yml/OSBinaries/Cmstp.yml b/yml/OSBinaries/Cmstp.yml index eda30374d..de9427d1b 100644 --- a/yml/OSBinaries/Cmstp.yml +++ b/yml/OSBinaries/Cmstp.yml @@ -42,6 +42,7 @@ Detection: - Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml - Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml + - Splunk: https://research.splunk.com/endpoint/f87b5062-b405-11eb-a889-acde48001122/ - IOC: Execution of cmstp.exe without a VPN use case is suspicious - IOC: DotNet CLR libraries loaded into cmstp.exe - IOC: DotNet CLR Usage Log - cmstp.exe.log diff --git a/yml/OSBinaries/Control.yml b/yml/OSBinaries/Control.yml index 349196e43..93b7ffa69 100644 --- a/yml/OSBinaries/Control.yml +++ b/yml/OSBinaries/Control.yml @@ -31,6 +31,7 @@ Detection: - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - Elastic: https://github.com/elastic/detection-rules/blob/0875c1e4c4370ab9fbf453c8160bb5abc8ad95e7/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml - Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_unusual_dir_ads.toml + - Splunk: https://research.splunk.com/endpoint/10423ac4-10c9-11ec-8dc4-acde48001122/ - IOC: Control.exe executing files from alternate data streams - IOC: Control.exe executing library file without cpl extension - IOC: Suspicious network connections from control.exe diff --git a/yml/OSBinaries/Eventvwr.yml b/yml/OSBinaries/Eventvwr.yml index 1f608bd8b..44261f0e6 100644 --- a/yml/OSBinaries/Eventvwr.yml +++ b/yml/OSBinaries/Eventvwr.yml @@ -35,6 +35,7 @@ Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/197615345b927682ab7ad7fa3c5f5bb2ed911eed/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml - Elastic: https://github.com/elastic/detection-rules/blob/d31ea6253ea40789b1fc49ade79b7ec92154d12a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml - Splunk: https://github.com/splunk/security_content/blob/86a5b644a44240f01274c8b74d19a435c7dae66e/detections/endpoint/eventvwr_uac_bypass.yml + - Splunk: https://research.splunk.com/endpoint/9cf8fe08-7ad8-11eb-9819-acde48001122/ - IOC: eventvwr.exe launching child process other than mmc.exe - IOC: Creation or modification of the registry value HKCU\Software\Classes\mscfile\shell\open\command Resources: diff --git a/yml/OSBinaries/Forfiles.yml b/yml/OSBinaries/Forfiles.yml index 0c1968ec2..1890d61a1 100644 --- a/yml/OSBinaries/Forfiles.yml +++ b/yml/OSBinaries/Forfiles.yml @@ -27,6 +27,8 @@ Full_Path: - Path: C:\Windows\SysWOW64\forfiles.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml + - Splunk: https://research.splunk.com/endpoint/bfdaabe7-3db8-48c5-80c1-220f9b8f22be/ + - Splunk: https://research.splunk.com/endpoint/1fdf31c9-ff4d-4c48-b799-0e8666e08787/ Resources: - Link: https://twitter.com/vector_sec/status/896049052642533376 - Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f diff --git a/yml/OSBinaries/Installutil.yml b/yml/OSBinaries/Installutil.yml index f14239a1b..d07f06b7c 100644 --- a/yml/OSBinaries/Installutil.yml +++ b/yml/OSBinaries/Installutil.yml @@ -43,6 +43,12 @@ Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml - Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/defense_evasion_installutil_beacon.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml + - Splunk: https://research.splunk.com/endpoint/4fbf9270-43da-11ec-9486-acde48001122/ + - Splunk: https://research.splunk.com/endpoint/dcf74b22-7933-11ec-857c-acde48001122/ + - Splunk: https://research.splunk.com/endpoint/cfa7b9ac-43f0-11ec-9b48-acde48001122/ + - Splunk: https://research.splunk.com/endpoint/ccfeddec-43ec-11ec-b494-acde48001122/ + - Splunk: https://research.splunk.com/endpoint/1a52c836-43ef-11ec-a36c-acde48001122/ + - Splunk: https://research.splunk.com/endpoint/28e06670-43df-11ec-a569-acde48001122/ Resources: - Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/ - Link: https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12 diff --git a/yml/OSBinaries/Mavinject.yml b/yml/OSBinaries/Mavinject.yml index 5606b70b6..569d311a0 100644 --- a/yml/OSBinaries/Mavinject.yml +++ b/yml/OSBinaries/Mavinject.yml @@ -27,6 +27,7 @@ Full_Path: - Path: C:\Windows\SysWOW64\mavinject.exe Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml + - Splunk: https://research.splunk.com/endpoint/ccf4b61b-1b26-4f2e-a089-f2009c569c57/ - IOC: mavinject.exe should not run unless APP-v is in use on the workstation Resources: - Link: https://twitter.com/gN3mes1s/status/941315826107510784 diff --git a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml index 75539d306..f976a9294 100644 --- a/yml/OSBinaries/Microsoft.Workflow.Compiler.yml +++ b/yml/OSBinaries/Microsoft.Workflow.Compiler.yml @@ -41,6 +41,8 @@ Detection: - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml - Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_network_connection_from_windows_binary.toml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - Splunk: https://research.splunk.com/endpoint/9bbc62e8-55d8-11eb-ae93-0242ac130002/ + - Splunk: https://research.splunk.com/endpoint/f0db4464-55d9-11eb-ae93-0242ac130002/ - IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations. - IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe - IOC: Presence of "\bin\Pester.bat Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml + - Splunk: https://research.splunk.com/endpoint/71b9bf37-cde1-45fb-b899-1b0aa6fa1183/ Resources: - Link: https://twitter.com/Oddvarmoe/status/993383596244258816 - Link: https://twitter.com/_st0pp3r_/status/1560072680887525378 diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index 8f7c7b1e5..d6d28bca4 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -45,6 +45,7 @@ Full_Path: Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules + - Splunk: https://research.splunk.com/endpoint/fddf3b56-7933-11ec-98a6-acde48001122/ - IOC: dotnet.exe spawned an unknown process Resources: - Link: https://twitter.com/_felamos/status/1204705548668555264 diff --git a/yml/OtherMSBinaries/Ntdsutil.yml b/yml/OtherMSBinaries/Ntdsutil.yml index e8b78c023..c20e87d48 100644 --- a/yml/OtherMSBinaries/Ntdsutil.yml +++ b/yml/OtherMSBinaries/Ntdsutil.yml @@ -17,6 +17,7 @@ Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml - Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/ntdsutil_export_ntds.yml - Elastic: https://github.com/elastic/detection-rules/blob/5bdf70e72c6cd4547624c521108189af994af449/rules/windows/credential_access_cmdline_dump_tool.toml + - Splunk: https://research.splunk.com/endpoint/da63bc76-61ae-11eb-ae93-0242ac130002/ - IOC: ntdsutil.exe with command line including "ifm" Resources: - Link: https://adsecurity.org/?p=2398#CreateIFM