Skip to content

Commit

Permalink
style: Automatic code formatting
Browse files Browse the repository at this point in the history
  • Loading branch information
@actions-user
actions-user committed Oct 28, 2024
1 parent 044f103 commit 4ce9562
Show file tree
Hide file tree
Showing 10 changed files with 303 additions and 102 deletions.
10 changes: 7 additions & 3 deletions modules/signatures/windows/bypass_uac.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,8 @@ def run(self):
return True

return False


class UACBypassWindowsBackup(Signature):
name = "uac_bypass_windows_Backup"
description = "Attempts to use Windows Backup and Restore (sdclt.exe) to bypass UAC"
Expand All @@ -227,8 +229,10 @@ class UACBypassWindowsBackup(Signature):
minimum = "0.5"
evented = True
ttps = ["T1548", "T1548.002"]
references = ["https://github.com/hfiref0x/UACME",
"https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/privilege_escalation_uac_bypass_via_sdclt.toml"]
references = [
"https://github.com/hfiref0x/UACME",
"https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/privilege_escalation_uac_bypass_via_sdclt.toml",
]

filter_apinames = set(["CreateProcessInternalW"])

Expand All @@ -249,4 +253,4 @@ def on_complete(self):
lower = cmdline.lower()
if "sdclt.exe" in lower and "/kickoffelev" in lower:
return True
return False
return False
6 changes: 4 additions & 2 deletions modules/signatures/windows/credential_access.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ def run(self):

return ret


class AccessWindowsPasswordsVault(Signature):
name = "access_windows_passwords_vault"
description = "Attempts to access Vault passwords via PowerShell"
Expand All @@ -95,7 +96,8 @@ class AccessWindowsPasswordsVault(Signature):
evented = True
ttps = ["T1059"]
references = [
"https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/credential_access_access_to_windows_passwords_vault_via_powershell.toml"]
"https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/credential_access_access_to_windows_passwords_vault_via_powershell.toml"
]

filter_apinames = set(["CreateProcessInternalW"])

Expand All @@ -116,4 +118,4 @@ def on_complete(self):
lower = cmdline.lower()
if "powershell" in lower and any(arg in lower for arg in ["passwordvault", "retrievepassword", "retrieveall"]):
return True
return False
return False
42 changes: 33 additions & 9 deletions modules/signatures/windows/credential_dumping.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,7 @@ def run(self):

return False


class DumpLSAViaWindowsErrorReporting(Signature):
name = "dump_lsa_via_windows_error_reporting"
description = "Attempts to create LSASS crash dump via Windows Error Reporting process"
Expand All @@ -225,7 +226,8 @@ class DumpLSAViaWindowsErrorReporting(Signature):
evented = True
ttps = ["T1003"]
references = [
"https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/credential_access_lsa_dump_via_windows_error_reporting.toml"]
"https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/credential_access_lsa_dump_via_windows_error_reporting.toml"
]

filter_apinames = set(["NtCreateFile"])

Expand All @@ -239,6 +241,7 @@ def on_call(self, call, process):
if filename.endswith(".dmp") and "lsass_" in filename:
return True


class KerberosCredentialAccessViaRubeus(Signature):
name = "kerberos_credential_access_via_rubeus"
description = "Attempts to manipulate/abuse Kerberos Ticketing System via Rubeus toolset"
Expand All @@ -249,17 +252,38 @@ class KerberosCredentialAccessViaRubeus(Signature):
evented = True
ttps = ["T1003"]
references = [
"https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/credential_access_potential_credential_access_via_rubeus.toml"]
"https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/credential_access_potential_credential_access_via_rubeus.toml"
]

def run(self):
cmdlines = self.results.get("behavior").get("summary").get("executed_commands")
for cmdline in cmdlines:
lower = cmdline.lower()
if "rebeus" in lower and any(arg in lower for arg in ["asreproast", "dump /service:krbtgt", "dump /luid",
"kerberoast", "createnetonly /program", "ptt /ticket",
"/impersonateuser", "renew /ticket", "asktgt /user",
"asktgs /ticket", "harvest /interval", "s4u /user",
"s4u /ticket", "hash /password", "tgtdeleg", "tgtdeleg /target",
"golden /des", "golden /rc4", "golden /aes128", "golden /aes256", "changpw /ticket"]):
if "rebeus" in lower and any(
arg in lower
for arg in [
"asreproast",
"dump /service:krbtgt",
"dump /luid",
"kerberoast",
"createnetonly /program",
"ptt /ticket",
"/impersonateuser",
"renew /ticket",
"asktgt /user",
"asktgs /ticket",
"harvest /interval",
"s4u /user",
"s4u /ticket",
"hash /password",
"tgtdeleg",
"tgtdeleg /target",
"golden /des",
"golden /rc4",
"golden /aes128",
"golden /aes256",
"changpw /ticket",
]
):
return True
return False
return False
20 changes: 16 additions & 4 deletions modules/signatures/windows/deletes_consolehost_history.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,27 @@ class DeletesExecutedFiles(Signature):
authors = ["@para0x0dise"]
minimum = "1.2"
ttps = ["T1070.003"]
references = ["https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/defense_evasion_suspicious_powershell_console_history_deletion.toml"]
references = [
"https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/defense_evasion_suspicious_powershell_console_history_deletion.toml"
]
evented = True

filter_apinames = set(["NtDeleteFile", "DeleteFileA", "DeleteFileW"])

def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.isDeleted = False
self.blacklistedApps = ["powershell.exe", "rundll32.exe", "regsvr32.exe", "cmd.exe", "wscript.exe",
"cscript.exe", "mshta.exe", "winword.exe", "excel.exe"]
self.blacklistedApps = [
"powershell.exe",
"rundll32.exe",
"regsvr32.exe",
"cmd.exe",
"wscript.exe",
"cscript.exe",
"mshta.exe",
"winword.exe",
"excel.exe",
]
self.blacklistedPaths = ["\\users\\", "\\windows\\temp\\", "\\programdata\\", "\\windows\\microsoft.net\\"]

def on_call(self, call, process):
Expand All @@ -35,4 +47,4 @@ def on_complete(self):
for proc in self.results.get("behavior").get("processtree"):
if proc.get("name") in self.blacklistedApps or proc["module_path"].lower() in self.blacklistedPaths:
return True
return False
return False
14 changes: 10 additions & 4 deletions modules/signatures/windows/exploit_spooler.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ def run(self):

return False


class EscalatePrivilegeViaNTLMRelay(Signature):
name = "escalate_privilege_via_ntlm_relay"
description = "Attempts to coerce a local NTLM authentication via HTTP using Printer Spooler service as a target"
Expand All @@ -72,15 +73,20 @@ class EscalatePrivilegeViaNTLMRelay(Signature):
authors = ["@para0x0dise"]
minimum = "1.2"
ttps = ["T1068"]
references = ["https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/privilege_escalation_privilege_escalation_via_ntlmrelay2self.toml"]
references = [
"https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/privilege_escalation_privilege_escalation_via_ntlmrelay2self.toml"
]
evented = True

def run(self):
cmdlines = self.results.get("behavior").get("summary").get("executed_commands")
for cmdline in cmdlines:
lower = cmdline.lower()

if ("rundll32.exe" in lower and any(arg in lower for arg in ["davclnt.dll,davsetcookie"])
and any(arg in lower for arg in ["/print/pipe/", "/pipe/spoolss", "/pipe/srvsvc"])):
if (
"rundll32.exe" in lower
and any(arg in lower for arg in ["davclnt.dll,davsetcookie"])
and any(arg in lower for arg in ["/print/pipe/", "/pipe/spoolss", "/pipe/srvsvc"])
):
return True
return False
return False
18 changes: 12 additions & 6 deletions modules/signatures/windows/ipc_namedpipe.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ def on_complete(self):

return ret


class EscalatePrivilegeViaNamedPipe(Signature):
name = "escalate_privilege_via_named_pipe"
description = "Attempts to escalate privilege via named pipe"
Expand All @@ -107,7 +108,8 @@ class EscalatePrivilegeViaNamedPipe(Signature):
evented = True
ttps = ["T1134"]
references = [
"https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/privilege_escalation_privilege_escalation_via_named_pipe_impersonation.toml"]
"https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/privilege_escalation_privilege_escalation_via_named_pipe_impersonation.toml"
]

filter_apinames = set(["CreateProcessInternalW"])

Expand All @@ -118,15 +120,19 @@ def on_call(self, call, process):
if pname in ["chrome.exe", "msedge.exe"] and call["api"] == "CreateProcessInternalW":
cmdline = self.get_argument(call, "CommandLine")
lower = cmdline.lower()
if (any(process in lower for process in ["cmd.exe", "powershell.exe", "sc.exe", "schtasks.exe"])
and "\\\\.\\pipe\\" in lower):
if (
any(process in lower for process in ["cmd.exe", "powershell.exe", "sc.exe", "schtasks.exe"])
and "\\\\.\\pipe\\" in lower
):
return False

def on_complete(self):
cmdlines = self.results.get("behavior").get("summary").get("executed_commands")
for cmdline in cmdlines:
lower = cmdline.lower()
if (any(process in lower for process in ["cmd.exe", "powershell.exe", "sc.exe", "schtasks.exe"])
and "\\\\.\\pipe\\" in lower):
if (
any(process in lower for process in ["cmd.exe", "powershell.exe", "sc.exe", "schtasks.exe"])
and "\\\\.\\pipe\\" in lower
):
return True
return False
return False
Loading

0 comments on commit 4ce9562

Please sign in to comment.