Merge pull request #463 from para0x0dise/new-detection-artifacts

New Detection Artifacts

modules/signatures/windows/bypass_uac.py

@@ -218,3 +218,35 @@ def run(self):
                 return True
 
         return False
+class UACBypassWindowsBackup(Signature):
+    name = "uac_bypass_windows_Backup"
+    description = "Attempts to use Windows Backup and Restore (sdclt.exe) to bypass UAC"
+    severity = 3
+    categories = ["bypass"]
+    authors = ["@para0x0dise"]
+    minimum = "0.5"
+    evented = True
+    ttps = ["T1548", "T1548.002"]
+    references = ["https://github.com/hfiref0x/UACME",
+                  "https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/privilege_escalation_uac_bypass_via_sdclt.toml"]
+
+    filter_apinames = set(["CreateProcessInternalW"])
+
+    def on_call(self, call, process):
+        pname = process["process_name"].lower()
+
+        # Checking parent process for false positives.
+        if pname == "sdclt.exe":
+            if call["api"] == "CreateProcessInternalW":
+                cmdline = self.get_argument(call, "CommandLine")
+                lower = cmdline.lower()
+                if any(process in lower for process in ["control.exe", "werfault.exe", "wermgr.exe", "sdclt.exe"]):
+                    return False
+
+    def on_complete(self):
+        cmdlines = self.results.get("behavior").get("summary").get("executed_commands")
+        for cmdline in cmdlines:
+            lower = cmdline.lower()
+            if "sdclt.exe" in lower and "/kickoffelev" in lower:
+                return True
+        return False

modules/signatures/windows/credential_access.py

@@ -84,3 +84,36 @@ def run(self):
                 self.data.append({"command": cmdline})
 
         return ret
+
+class AccessWindowsPasswordsVault(Signature):
+    name = "access_windows_passwords_vault"
+    description = "Attempts to access Vault passwords via PowerShell"
+    severity = 3
+    categories = ["credential_access"]
+    authors = ["@para0x0dise"]
+    minimum = "0.5"
+    evented = True
+    ttps = ["T1059"]
+    references = [
+        "https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/credential_access_access_to_windows_passwords_vault_via_powershell.toml"]
+
+    filter_apinames = set(["CreateProcessInternalW"])
+
+    def on_call(self, call, process):
+        pname = process["process_name"].lower()
+
+        # Checking parent process for false positives.
+        if pname == "keeperpasswordmanager.exe":
+            if call["api"] == "CreateProcessInternalW":
+                cmdline = self.get_argument(call, "CommandLine")
+                lower = cmdline.lower()
+                if any(arg in lower for arg in ["passwordvault", "retrievepassword", "retrieveall"]):
+                    return False
+
+    def on_complete(self):
+        cmdlines = self.results.get("behavior").get("summary").get("executed_commands")
+        for cmdline in cmdlines:
+            lower = cmdline.lower()
+            if "powershell" in lower and any(arg in lower for arg in ["passwordvault", "retrievepassword", "retrieveall"]):
+                return True
+        return False

modules/signatures/windows/credential_dumping.py

@@ -214,3 +214,52 @@ def run(self):
                 return True
 
         return False
+
+class DumpLSAViaWindowsErrorReporting(Signature):
+    name = "dump_lsa_via_windows_error_reporting"
+    description = "Attempts to create LSASS crash dump via Windows Error Reporting process"
+    severity = 3
+    categories = ["credential_access", "credential_dumping"]
+    authors = ["@para0x0dise"]
+    minimum = "0.5"
+    evented = True
+    ttps = ["T1003"]
+    references = [
+        "https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/credential_access_lsa_dump_via_windows_error_reporting.toml"]
+
+    filter_apinames = set(["NtCreateFile"])
+
+    def on_call(self, call, process):
+        pname = process["process_name"].lower()
+
+        # Checking parent process for false positives.
+        if pname in ["WerFaultSecure.exe", "WerFault.exe"]:
+            if call["api"] == "NtCreateFile":
+                filename = self.get_argument(call, "FileName")
+                if filename.endswith(".dmp") and "lsass_" in filename:
+                    return True
+
+class KerberosCredentialAccessViaRubeus(Signature):
+    name = "kerberos_credential_access_via_rubeus"
+    description = "Attempts to manipulate/abuse Kerberos Ticketing System via Rubeus toolset"
+    severity = 3
+    categories = ["credential_access", "credential_dumping"]
+    authors = ["@para0x0dise"]
+    minimum = "0.5"
+    evented = True
+    ttps = ["T1003"]
+    references = [
+        "https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/credential_access_potential_credential_access_via_rubeus.toml"]
+
+    def run(self):
+        cmdlines = self.results.get("behavior").get("summary").get("executed_commands")
+        for cmdline in cmdlines:
+            lower = cmdline.lower()
+            if "rebeus" in lower and any(arg in lower for arg in ["asreproast", "dump /service:krbtgt", "dump /luid",
+                                    "kerberoast", "createnetonly /program", "ptt /ticket",
+                                    "/impersonateuser", "renew /ticket", "asktgt /user",
+                                    "asktgs /ticket", "harvest /interval", "s4u /user",
+                                    "s4u /ticket", "hash /password", "tgtdeleg", "tgtdeleg /target",
+                                    "golden /des", "golden /rc4", "golden /aes128", "golden /aes256", "changpw /ticket"]):
+                return True
+        return False

modules/signatures/windows/deletes_consolehost_history.py

@@ -0,0 +1,38 @@
+from lib.cuckoo.common.abstracts import Signature
+
+
+class DeletesExecutedFiles(Signature):
+    name = "deletes_consolehost_history"
+    description = "Deletes PowerShell Console History to conceal the action undertaken during an intrusion"
+    severity = 3
+    categories = ["stealth"]
+    authors = ["@para0x0dise"]
+    minimum = "1.2"
+    ttps = ["T1070.003"]
+    references = ["https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/defense_evasion_suspicious_powershell_console_history_deletion.toml"]
+    evented = True
+
+    filter_apinames = set(["NtDeleteFile", "DeleteFileA", "DeleteFileW"])
+    def __init__(self, *args, **kwargs):
+        Signature.__init__(self, *args, **kwargs)
+        self.isDeleted = False
+        self.blacklistedApps = ["powershell.exe", "rundll32.exe", "regsvr32.exe", "cmd.exe", "wscript.exe",
+                                "cscript.exe", "mshta.exe", "winword.exe", "excel.exe"]
+        self.blacklistedPaths = ["\\users\\", "\\windows\\temp\\", "\\programdata\\", "\\windows\\microsoft.net\\"]
+
+    def on_call(self, call, process):
+        if call["api"] == "NtDeleteFile" or call["api"] == "DeleteFileA" or call["api"] == "DeleteFileW":
+            if "ConsoleHost_history.txt" in self.get_argument(call, "FileName"):
+                self.isDeleted = True
+                if self.pid:
+                    self.mark_call()
+                return
+
+    def on_complete(self):
+
+        # Verify True Positives
+        if self.isDeleted:
+            for proc in self.results.get("behavior").get("processtree"):
+                if proc.get("name") in self.blacklistedApps or proc["module_path"].lower() in self.blacklistedPaths:
+                    return True
+        return False

modules/signatures/windows/exploit_spooler.py

@@ -63,3 +63,24 @@ def run(self):
                 return True
 
         return False
+
+class EscalatePrivilegeViaNTLMRelay(Signature):
+    name = "escalate_privilege_via_ntlm_relay"
+    description = "Attempts to coerce a local NTLM authentication via HTTP using Printer Spooler service as a target"
+    severity = 3
+    categories = ["bypass"]
+    authors = ["@para0x0dise"]
+    minimum = "1.2"
+    ttps = ["T1068"]
+    references = ["https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/privilege_escalation_privilege_escalation_via_ntlmrelay2self.toml"]
+    evented = True
+
+    def run(self):
+        cmdlines = self.results.get("behavior").get("summary").get("executed_commands")
+        for cmdline in cmdlines:
+            lower = cmdline.lower()
+
+            if ("rundll32.exe" in lower and any(arg in lower for arg in ["davclnt.dll,davsetcookie"])
+                    and any(arg in lower for arg in ["/print/pipe/", "/pipe/spoolss", "/pipe/srvsvc"])):
+                return True
+        return False

modules/signatures/windows/ipc_namedpipe.py

@@ -96,3 +96,37 @@ def on_complete(self):
                         self.data.append({"Interacts": desc})
 
         return ret
+
+class EscalatePrivilegeViaNamedPipe(Signature):
+    name = "escalate_privilege_via_named_pipe"
+    description = "Attempts to escalate privilege via named pipe"
+    severity = 3
+    categories = ["bypass"]
+    authors = ["@para0x0dise"]
+    minimum = "0.5"
+    evented = True
+    ttps = ["T1134"]
+    references = [
+        "https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/privilege_escalation_privilege_escalation_via_named_pipe_impersonation.toml"]
+
+    filter_apinames = set(["CreateProcessInternalW"])
+
+    def on_call(self, call, process):
+        pname = process["process_name"].lower()
+
+        # Checking parent process for false positives.
+        if pname in ["chrome.exe", "msedge.exe"] and call["api"] == "CreateProcessInternalW":
+            cmdline = self.get_argument(call, "CommandLine")
+            lower = cmdline.lower()
+            if (any(process in lower for process in ["cmd.exe", "powershell.exe", "sc.exe", "schtasks.exe"])
+                    and "\\\\.\\pipe\\" in lower):
+                return False
+
+    def on_complete(self):
+        cmdlines = self.results.get("behavior").get("summary").get("executed_commands")
+        for cmdline in cmdlines:
+            lower = cmdline.lower()
+            if (any(process in lower for process in ["cmd.exe", "powershell.exe", "sc.exe", "schtasks.exe"])
+                    and "\\\\.\\pipe\\" in lower):
+                return True
+        return False