Merge pull request #4316 from swachchhanda000/master

rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml

@@ -0,0 +1,85 @@
+title: WMI Module Loaded By Non Uncommon Process
+id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
+status: test
+description: Detects a WMI modules being loaded by an uncommon process
+references:
+    - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+modified: 2023/08/08
+tags:
+    - attack.execution
+    - attack.t1047
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        ImageLoaded|endswith:
+            - '\fastprox.dll'
+            - '\wbemcomn.dll'
+            - '\wbemprox.dll'
+            - '\wbemsvc.dll'
+            - '\WmiApRpl.dll'
+            - '\wmiclnt.dll'
+            - '\WMINet_Utils.dll'
+            - '\wmiprov.dll'
+            - '\wmiutils.dll'
+    filter_optional_generic:
+        Image|contains:
+            - ':\Microsoft\Teams\current\Teams.exe'
+            - ':\Microsoft\Teams\Update.exe'
+            - ':\Windows\\explorer.exe'
+            - ':\Windows\Sysmon.exe'
+            - ':\Windows\Sysmon64.exe'
+            - ':\Windows\System32\CompatTelRunner.exe'
+            - ':\Windows\System32\DeviceCensus.exe'
+            - ':\Windows\System32\dfsrs.exe'
+            - ':\Windows\System32\dispdiag.exe'
+            - ':\Windows\System32\dxdiag.exe'
+            - ':\Windows\System32\gpresult.exe'
+            - ':\Windows\System32\logman.exe'
+            - ':\Windows\System32\MoUsoCoreWorker.exe'  # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least
+            - ':\Windows\System32\sdiagnhost.exe'
+            - ':\Windows\System32\SecurityHealthService.exe'
+            - ':\Windows\System32\ServerManager.exe'
+            - ':\Windows\System32\SIHClient.exe'
+            - ':\Windows\System32\svchost.exe'
+            - ':\Windows\System32\systeminfo.exe'
+            - ':\Windows\System32\taskhostw.exe'  # c:\windows\system32\taskhostw.exe
+            - ':\Windows\System32\tasklist.exe'
+            - ':\Windows\System32\vds.exe'
+            - ':\Windows\System32\wbem\unsecapp.exe'
+            - ':\Windows\System32\wbem\WMIADAP.exe'  # https://github.com/SigmaHQ/sigma/issues/1871
+            - ':\Windows\System32\wbem\WmiApSrv.exe'
+            - ':\Windows\System32\wbem\WMIC.exe'
+            - ':\Windows\System32\wbem\WmiPrvSE.exe'
+            - ':\Windows\SysWOW64\explorer.exe'
+            - ':\Windows\SysWOW64\logman.exe'
+            - ':\Windows\SysWOW64\sdiagnhost.exe'
+            - ':\Windows\SysWOW64\svchost.exe'
+            - ':\Windows\SysWOW64\systeminfo.exe'
+            - ':\Windows\SysWOW64\wbem\WmiPrvSE.exe'
+    filter_optional_other:
+        Image|endswith:
+            - '\WindowsAzureGuestAgent.exe'
+            - '\WaAppAgent.exe'
+    filter_optional_thor:
+        Image|endswith:
+            - '\thor.exe'
+            - '\thor64.exe'
+    filter_optional_defender:
+        Image|endswith: '\MsMpEng.exe'
+    filter_optional_dotnet:
+        Image|contains:
+            - ':\Windows\Microsoft.NET\Framework\'
+            - ':\Windows\Microsoft.NET\Framework64\'
+        Image|endswith: '\ngentask.exe'
+    filter_optional_programfiles:
+        Image|contains:
+            - ':\Program Files\'
+            - ':\Program Files (x86)\'
+    condition: selection and not 1 of filter_optional_*
+falsepositives:
+    - Unknown
+level: low

rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml

@@ -0,0 +1,50 @@
+title: Potential Provlaunch.EXE Binary Proxy Execution Abuse
+id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c
+related:
+    - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
+      type: similar
+    - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
+      type: similar
+    - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
+      type: similar
+status: experimental
+description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+    - https://twitter.com/0gtweet/status/1674399582162153472
+author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
+date: 2023/08/08
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\provlaunch.exe'
+    filter_main_covered_children:
+        # Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd
+        - Image|endswith:
+            - '\calc.exe'
+            - '\cmd.exe'
+            - '\cscript.exe'
+            - '\mshta.exe'
+            - '\notepad.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\wscript.exe'
+        - Image|contains:
+            - ':\PerfLogs\'
+            - ':\Temp\'
+            - ':\Users\Public\'
+            - '\AppData\Temp\'
+            - '\Windows\System32\Tasks\'
+            - '\Windows\Tasks\'
+            - '\Windows\Temp\'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: medium

rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml

@@ -0,0 +1,49 @@
+title: Suspicious Provlaunch.EXE Child Process
+id: f9999590-1f94-4a34-a91e-951e47bedefd
+related:
+    - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
+      type: similar
+    - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
+      type: similar
+    - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
+      type: similar
+status: experimental
+description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+    - https://twitter.com/0gtweet/status/1674399582162153472
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/08/08
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|endswith: '\provlaunch.exe'
+    selection_child:
+        - Image|endswith:
+            - '\calc.exe'
+            - '\cmd.exe'
+            - '\cscript.exe'
+            - '\mshta.exe'
+            - '\notepad.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\wscript.exe'
+        - Image|contains:
+            - ':\PerfLogs\'
+            - ':\Temp\'
+            - ':\Users\Public\'
+            - '\AppData\Temp\'
+            - '\Windows\System32\Tasks\'
+            - '\Windows\Tasks\'
+            - '\Windows\Temp\'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml

@@ -0,0 +1,29 @@
+title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution
+id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25
+related:
+    - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
+      type: similar
+    - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
+      type: similar
+    - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
+      type: similar
+status: experimental
+description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+    - https://twitter.com/0gtweet/status/1674399582162153472
+author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
+date: 2023/08/08
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains: 'SOFTWARE\Microsoft\Provisioning\Commands\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml

@@ -0,0 +1,31 @@
+title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
+id: 7021255e-5db3-4946-a8b9-0ba7a4644a69
+related:
+    - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
+      type: similar
+    - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
+      type: similar
+    - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
+      type: similar
+status: experimental
+description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
+    - https://twitter.com/0gtweet/status/1674399582162153472
+author: Swachchhanda Shrawan Poudel
+date: 2023/08/02
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    category: registry_set
+    product: windows
+    definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" and its subkey must be monitored'
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high