Skip to content

Commit

Permalink
Sigma Rule Update (2024-01-12 20:07:44) (#565)
Browse files Browse the repository at this point in the history 
Co-authored-by: hach1yon <[email protected]>
  • Loading branch information
@github-actions @hach1yon
github-actions[bot] and hach1yon authored Jan 12, 2024
1 parent c5b61f3 commit fb8faa4
Show file tree
Hide file tree
Showing 6 changed files with 697 additions and 0 deletions.
188 changes: 188 additions & 0 deletions sigma/builtin/process_creation/proc_creation_win_pua_pingcastle.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,188 @@
title: PUA - PingCastle Execution
id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
related:
- id: b37998de-a70b-4f33-b219-ec36bf433dc0
type: derived
status: experimental
description: Detects the execution of PingCastle, a tool designed to quickly assess
the Active Directory security level.
references:
- https://github.com/vletoux/pingcastle
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
- https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
- https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024/01/11
tags:
- attack.reconnaissance
- attack.t1595
logsource:
category: process_creation
product: windows
detection:
process_creation:
EventID: 4688
Channel: Security
selection:
- Hashes|contains:
- MD5=f741f25ac909ee434e50812d436c73ff
- MD5=d40acbfc29ee24388262e3d8be16f622
- MD5=01bb2c16fadb992fa66228cd02d45c60
- MD5=9e1b18e62e42b5444fc55b51e640355b
- MD5=b7f8fe33ac471b074ca9e630ba0c7e79
- MD5=324579d717c9b9b8e71d0269d13f811f
- MD5=63257a1ddaf83cfa43fe24a3bc06c207
- MD5=049e85963826b059c9bac273bb9c82ab
- MD5=ecb98b7b4d4427eb8221381154ff4cb2
- MD5=faf87749ac790ec3a10dd069d10f9d63
- MD5=f296dba5d21ad18e6990b1992aea8f83
- MD5=93ba94355e794b6c6f98204cf39f7a11
- MD5=a258ef593ac63155523a461ecc73bdba
- MD5=97000eb5d1653f1140ee3f47186463c4
- MD5=95eb317fbbe14a82bd9fdf31c48b8d93
- MD5=32fe9f0d2630ac40ea29023920f20f49
- MD5=a05930dde939cfd02677fc18bb2b7df5
- MD5=124283924e86933ff9054a549d3a268b
- MD5=ceda6909b8573fdeb0351c6920225686
- MD5=60ce120040f2cd311c810ae6f6bbc182
- MD5=2f10cdc5b09100a260703a28eadd0ceb
- MD5=011d967028e797a4c16d547f7ba1463f
- MD5=2da9152c0970500c697c1c9b4a9e0360
- MD5=b5ba72034b8f44d431f55275bace9f8b
- MD5=d6ed9101df0f24e27ff92ddab42dacca
- MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d
- MD5=5e083cd0143ae95a6cb79b68c07ca573
- MD5=28caff93748cb84be70486e79f04c2df
- MD5=9d4f12c30f9b500f896efd1800e4dd11
- MD5=4586f7dd14271ad65a5fb696b393f4c0
- MD5=86ba9dddbdf49215145b5bcd081d4011
- MD5=9dce0a481343874ef9a36c9a825ef991
- MD5=85890f62e231ad964b1fda7a674747ec
- MD5=599be548da6441d7fe3e9a1bb8cb0833
- MD5=9b0c7fd5763f66e9b8c7b457fce53f96
- MD5=32d45718164205aec3e98e0223717d1d
- MD5=6ff5f373ee7f794cd17db50704d00ddb
- MD5=88efbdf41f0650f8f58a3053b0ca0459
- MD5=ef915f61f861d1fb7cbde9afd2e7bd93
- MD5=781fa16511a595757154b4304d2dd350
- MD5=5018ec39be0e296f4fc8c8575bfa8486
- MD5=f4a84d6f1caf0875b50135423d04139f
- SHA1=9c1431801fa6342ed68f047842b9a11778fc669b
- SHA1=c36c862f40dad78cb065197aad15fef690c262f2
- SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d
- SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f
- SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa
- SHA1=f14c9633040897d375e3069fddc71e859f283778
- SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc
- SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937
- SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36
- SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b
- SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc
- SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11
- SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995
- SHA1=607e1fa810c799735221a609af3bfc405728c02d
- SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3
- SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a
- SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491
- SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178
- SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4
- SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84
- SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea
- SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17
- SHA1=81d67b3d70c4e855cb11a453cc32997517708362
- SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad
- SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2
- SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92
- SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1
- SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a
- SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db
- SHA1=3150f14508ee4cae19cf09083499d1cda8426540
- SHA1=036ad9876fa552b1298c040e233d620ea44689c6
- SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5
- SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c
- SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d
- SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4
- SHA1=c82152cddf9e5df49094686531872ecd545976db
- SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61
- SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836
- SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719
- SHA1=34c0c5839af1c92bce7562b91418443a2044c90d
- SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08
- SHA1=3a515551814775df0ccbe09f219bc972eae45a10
- SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b
- SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85
- SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03
- SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795
- SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f
- SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a
- SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275
- SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b
- SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2
- SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae
- SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6
- SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a
- SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1
- SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559
- SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2
- SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef
- SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d
- SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524
- SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b
- SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b
- SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629
- SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358
- SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca
- SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea
- SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172
- SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4
- SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2
- SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66
- SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27
- SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41
- SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1
- SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0
- SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8
- SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d
- SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726
- SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90
- SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5
- SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140
- SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87
- SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892
- SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054
- SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd
- NewProcessName|endswith: \PingCastle.exe
- OriginalFileName: PingCastle.exe
- Product: Ping Castle
- CommandLine|contains:
- --scanner aclcheck
- --scanner antivirus
- --scanner computerversion
- --scanner foreignusers
- --scanner laps_bitlocker
- --scanner localadmin
- --scanner nullsession
- --scanner nullsession-trust
- --scanner oxidbindings
- --scanner remote
- --scanner share
- --scanner smb
- --scanner smb3querynetwork
- --scanner spooler
- --scanner startup
- --scanner zerologon
- CommandLine|contains: --no-enum-limit
- CommandLine|contains|all:
- --healthcheck
- --level Full
- CommandLine|contains|all:
- --healthcheck
- '--server '
condition: process_creation and selection
falsepositives:
- Unknown
level: medium
ruletype: Sigma
98 changes: 98 additions & 0 deletions sigma/builtin/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
title: PUA - PingCastle Execution From Potentially Suspicious Parent
id: b37998de-a70b-4f33-b219-ec36bf433dc0
related:
- id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
type: derived
status: experimental
description: 'Detects the execution of PingCastle, a tool designed to quickly assess
the Active Directory security level via a script located in a potentially suspicious
or uncommon location.
'
references:
- https://github.com/vletoux/pingcastle
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
- https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
- https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024/01/11
tags:
- attack.reconnaissance
- attack.t1595
logsource:
category: process_creation
product: windows
detection:
process_creation:
EventID: 4688
Channel: Security
selection_parent_ext:
ParentCommandLine|contains:
- .bat
- .chm
- .cmd
- .hta
- .htm
- .html
- .js
- .lnk
- .ps1
- .vbe
- .vbs
- .wsf
selection_parent_path_1:
ParentCommandLine|contains:
- :\Perflogs\
- :\Temp\
- :\Users\Public\
- :\Windows\Temp\
- \AppData\Local\Temp
- \AppData\Roaming\
- \Temporary Internet
selection_parent_path_2:
- ParentCommandLine|contains|all:
- :\Users\
- \Favorites\
- ParentCommandLine|contains|all:
- :\Users\
- \Favourites\
- ParentCommandLine|contains|all:
- :\Users\
- \Contacts\
selection_cli:
- NewProcessName|endswith: \PingCastle.exe
- OriginalFileName: PingCastle.exe
- Product: Ping Castle
- CommandLine|contains:
- --scanner aclcheck
- --scanner antivirus
- --scanner computerversion
- --scanner foreignusers
- --scanner laps_bitlocker
- --scanner localadmin
- --scanner nullsession
- --scanner nullsession-trust
- --scanner oxidbindings
- --scanner remote
- --scanner share
- --scanner smb
- --scanner smb3querynetwork
- --scanner spooler
- --scanner startup
- --scanner zerologon
- CommandLine|contains: --no-enum-limit
- CommandLine|contains|all:
- --healthcheck
- --level Full
- CommandLine|contains|all:
- --healthcheck
- '--server '
condition: process_creation and (1 of selection_parent_* and selection_parent_ext
and selection_cli)
falsepositives:
- Unknown
level: high
ruletype: Sigma
61 changes: 61 additions & 0 deletions sigma/builtin/process_creation/proc_creation_win_renamed_pingcastle.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
title: Renamed PingCastle Binary Execution
id: 2433a154-bb3d-42e4-86c3-a26bdac91c45
status: experimental
description: Detects the execution of a renamed "PingCastle" binary based on the PE
metadata fields.
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.pingcastle.com/documentation/scanner/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024/01/11
tags:
- attack.execution
- attack.t1059
- attack.defense_evasion
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
process_creation:
EventID: 4688
Channel: Security
selection:
- OriginalFileName:
- PingCastleReporting.exe
- PingCastleCloud.exe
- PingCastle.exe
- CommandLine|contains:
- --scanner aclcheck
- --scanner antivirus
- --scanner computerversion
- --scanner foreignusers
- --scanner laps_bitlocker
- --scanner localadmin
- --scanner nullsession
- --scanner nullsession-trust
- --scanner oxidbindings
- --scanner remote
- --scanner share
- --scanner smb
- --scanner smb3querynetwork
- --scanner spooler
- --scanner startup
- --scanner zerologon
- CommandLine|contains: --no-enum-limit
- CommandLine|contains|all:
- --healthcheck
- --level Full
- CommandLine|contains|all:
- --healthcheck
- '--server '
filter_main_img:
NewProcessName|endswith:
- \PingCastleReporting.exe
- \PingCastleCloud.exe
- \PingCastle.exe
condition: process_creation and (selection and not 1 of filter_main_*)
falsepositives:
- Unknown
level: high
ruletype: Sigma
Loading

0 comments on commit fb8faa4

Please sign in to comment.