diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle.yml b/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle.yml new file mode 100644 index 000000000..b1d287739 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle.yml @@ -0,0 +1,188 @@ +title: PUA - PingCastle Execution +id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c +related: + - id: b37998de-a70b-4f33-b219-ec36bf433dc0 + type: derived +status: experimental +description: Detects the execution of PingCastle, a tool designed to quickly assess + the Active Directory security level. +references: + - https://github.com/vletoux/pingcastle + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450 + - https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680 + - https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699 + - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8 + - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +author: Nasreddine Bencherchali (Nextron Systems), frack113 +date: 2024/01/11 +tags: + - attack.reconnaissance + - attack.t1595 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + - Hashes|contains: + - MD5=f741f25ac909ee434e50812d436c73ff + - MD5=d40acbfc29ee24388262e3d8be16f622 + - MD5=01bb2c16fadb992fa66228cd02d45c60 + - MD5=9e1b18e62e42b5444fc55b51e640355b + - MD5=b7f8fe33ac471b074ca9e630ba0c7e79 + - MD5=324579d717c9b9b8e71d0269d13f811f + - MD5=63257a1ddaf83cfa43fe24a3bc06c207 + - MD5=049e85963826b059c9bac273bb9c82ab + - MD5=ecb98b7b4d4427eb8221381154ff4cb2 + - MD5=faf87749ac790ec3a10dd069d10f9d63 + - MD5=f296dba5d21ad18e6990b1992aea8f83 + - MD5=93ba94355e794b6c6f98204cf39f7a11 + - MD5=a258ef593ac63155523a461ecc73bdba + - MD5=97000eb5d1653f1140ee3f47186463c4 + - MD5=95eb317fbbe14a82bd9fdf31c48b8d93 + - MD5=32fe9f0d2630ac40ea29023920f20f49 + - MD5=a05930dde939cfd02677fc18bb2b7df5 + - MD5=124283924e86933ff9054a549d3a268b + - MD5=ceda6909b8573fdeb0351c6920225686 + - MD5=60ce120040f2cd311c810ae6f6bbc182 + - MD5=2f10cdc5b09100a260703a28eadd0ceb + - MD5=011d967028e797a4c16d547f7ba1463f + - MD5=2da9152c0970500c697c1c9b4a9e0360 + - MD5=b5ba72034b8f44d431f55275bace9f8b + - MD5=d6ed9101df0f24e27ff92ddab42dacca + - MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d + - MD5=5e083cd0143ae95a6cb79b68c07ca573 + - MD5=28caff93748cb84be70486e79f04c2df + - MD5=9d4f12c30f9b500f896efd1800e4dd11 + - MD5=4586f7dd14271ad65a5fb696b393f4c0 + - MD5=86ba9dddbdf49215145b5bcd081d4011 + - MD5=9dce0a481343874ef9a36c9a825ef991 + - MD5=85890f62e231ad964b1fda7a674747ec + - MD5=599be548da6441d7fe3e9a1bb8cb0833 + - MD5=9b0c7fd5763f66e9b8c7b457fce53f96 + - MD5=32d45718164205aec3e98e0223717d1d + - MD5=6ff5f373ee7f794cd17db50704d00ddb + - MD5=88efbdf41f0650f8f58a3053b0ca0459 + - MD5=ef915f61f861d1fb7cbde9afd2e7bd93 + - MD5=781fa16511a595757154b4304d2dd350 + - MD5=5018ec39be0e296f4fc8c8575bfa8486 + - MD5=f4a84d6f1caf0875b50135423d04139f + - SHA1=9c1431801fa6342ed68f047842b9a11778fc669b + - SHA1=c36c862f40dad78cb065197aad15fef690c262f2 + - SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d + - SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f + - SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa + - SHA1=f14c9633040897d375e3069fddc71e859f283778 + - SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc + - SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937 + - SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36 + - SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b + - SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc + - SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11 + - SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995 + - SHA1=607e1fa810c799735221a609af3bfc405728c02d + - SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3 + - SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a + - SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491 + - SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178 + - SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4 + - SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84 + - SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea + - SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17 + - SHA1=81d67b3d70c4e855cb11a453cc32997517708362 + - SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad + - SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2 + - SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92 + - SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1 + - SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a + - SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db + - SHA1=3150f14508ee4cae19cf09083499d1cda8426540 + - SHA1=036ad9876fa552b1298c040e233d620ea44689c6 + - SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5 + - SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c + - SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d + - SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4 + - SHA1=c82152cddf9e5df49094686531872ecd545976db + - SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61 + - SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836 + - SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719 + - SHA1=34c0c5839af1c92bce7562b91418443a2044c90d + - SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08 + - SHA1=3a515551814775df0ccbe09f219bc972eae45a10 + - SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b + - SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85 + - SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03 + - SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795 + - SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f + - SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a + - SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275 + - SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b + - SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2 + - SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae + - SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6 + - SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a + - SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1 + - SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559 + - SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2 + - SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef + - SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d + - SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524 + - SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b + - SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b + - SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629 + - SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358 + - SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca + - SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea + - SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172 + - SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4 + - SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2 + - SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66 + - SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27 + - SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41 + - SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1 + - SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0 + - SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8 + - SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d + - SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726 + - SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90 + - SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5 + - SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140 + - SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87 + - SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892 + - SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054 + - SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd + - NewProcessName|endswith: \PingCastle.exe + - OriginalFileName: PingCastle.exe + - Product: Ping Castle + - CommandLine|contains: + - --scanner aclcheck + - --scanner antivirus + - --scanner computerversion + - --scanner foreignusers + - --scanner laps_bitlocker + - --scanner localadmin + - --scanner nullsession + - --scanner nullsession-trust + - --scanner oxidbindings + - --scanner remote + - --scanner share + - --scanner smb + - --scanner smb3querynetwork + - --scanner spooler + - --scanner startup + - --scanner zerologon + - CommandLine|contains: --no-enum-limit + - CommandLine|contains|all: + - --healthcheck + - --level Full + - CommandLine|contains|all: + - --healthcheck + - '--server ' + condition: process_creation and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml b/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml new file mode 100644 index 000000000..47a02d561 --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml @@ -0,0 +1,98 @@ +title: PUA - PingCastle Execution From Potentially Suspicious Parent +id: b37998de-a70b-4f33-b219-ec36bf433dc0 +related: + - id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c + type: derived +status: experimental +description: 'Detects the execution of PingCastle, a tool designed to quickly assess + the Active Directory security level via a script located in a potentially suspicious + or uncommon location. + + ' +references: + - https://github.com/vletoux/pingcastle + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450 + - https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680 + - https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699 + - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8 + - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2024/01/11 +tags: + - attack.reconnaissance + - attack.t1595 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection_parent_ext: + ParentCommandLine|contains: + - .bat + - .chm + - .cmd + - .hta + - .htm + - .html + - .js + - .lnk + - .ps1 + - .vbe + - .vbs + - .wsf + selection_parent_path_1: + ParentCommandLine|contains: + - :\Perflogs\ + - :\Temp\ + - :\Users\Public\ + - :\Windows\Temp\ + - \AppData\Local\Temp + - \AppData\Roaming\ + - \Temporary Internet + selection_parent_path_2: + - ParentCommandLine|contains|all: + - :\Users\ + - \Favorites\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Favourites\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Contacts\ + selection_cli: + - NewProcessName|endswith: \PingCastle.exe + - OriginalFileName: PingCastle.exe + - Product: Ping Castle + - CommandLine|contains: + - --scanner aclcheck + - --scanner antivirus + - --scanner computerversion + - --scanner foreignusers + - --scanner laps_bitlocker + - --scanner localadmin + - --scanner nullsession + - --scanner nullsession-trust + - --scanner oxidbindings + - --scanner remote + - --scanner share + - --scanner smb + - --scanner smb3querynetwork + - --scanner spooler + - --scanner startup + - --scanner zerologon + - CommandLine|contains: --no-enum-limit + - CommandLine|contains|all: + - --healthcheck + - --level Full + - CommandLine|contains|all: + - --healthcheck + - '--server ' + condition: process_creation and (1 of selection_parent_* and selection_parent_ext + and selection_cli) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/builtin/process_creation/proc_creation_win_renamed_pingcastle.yml b/sigma/builtin/process_creation/proc_creation_win_renamed_pingcastle.yml new file mode 100644 index 000000000..0157f115c --- /dev/null +++ b/sigma/builtin/process_creation/proc_creation_win_renamed_pingcastle.yml @@ -0,0 +1,61 @@ +title: Renamed PingCastle Binary Execution +id: 2433a154-bb3d-42e4-86c3-a26bdac91c45 +status: experimental +description: Detects the execution of a renamed "PingCastle" binary based on the PE + metadata fields. +references: + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://www.pingcastle.com/documentation/scanner/ +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2024/01/11 +tags: + - attack.execution + - attack.t1059 + - attack.defense_evasion + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 4688 + Channel: Security + selection: + - OriginalFileName: + - PingCastleReporting.exe + - PingCastleCloud.exe + - PingCastle.exe + - CommandLine|contains: + - --scanner aclcheck + - --scanner antivirus + - --scanner computerversion + - --scanner foreignusers + - --scanner laps_bitlocker + - --scanner localadmin + - --scanner nullsession + - --scanner nullsession-trust + - --scanner oxidbindings + - --scanner remote + - --scanner share + - --scanner smb + - --scanner smb3querynetwork + - --scanner spooler + - --scanner startup + - --scanner zerologon + - CommandLine|contains: --no-enum-limit + - CommandLine|contains|all: + - --healthcheck + - --level Full + - CommandLine|contains|all: + - --healthcheck + - '--server ' + filter_main_img: + NewProcessName|endswith: + - \PingCastleReporting.exe + - \PingCastleCloud.exe + - \PingCastle.exe + condition: process_creation and (selection and not 1 of filter_main_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle.yml new file mode 100644 index 000000000..9baf42af2 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle.yml @@ -0,0 +1,189 @@ +title: PUA - PingCastle Execution +id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c +related: + - id: b37998de-a70b-4f33-b219-ec36bf433dc0 + type: derived +status: experimental +description: Detects the execution of PingCastle, a tool designed to quickly assess + the Active Directory security level. +references: + - https://github.com/vletoux/pingcastle + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450 + - https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680 + - https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699 + - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8 + - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +author: Nasreddine Bencherchali (Nextron Systems), frack113 +date: 2024/01/11 +tags: + - attack.reconnaissance + - attack.t1595 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + - Hashes|contains: + - MD5=f741f25ac909ee434e50812d436c73ff + - MD5=d40acbfc29ee24388262e3d8be16f622 + - MD5=01bb2c16fadb992fa66228cd02d45c60 + - MD5=9e1b18e62e42b5444fc55b51e640355b + - MD5=b7f8fe33ac471b074ca9e630ba0c7e79 + - MD5=324579d717c9b9b8e71d0269d13f811f + - MD5=63257a1ddaf83cfa43fe24a3bc06c207 + - MD5=049e85963826b059c9bac273bb9c82ab + - MD5=ecb98b7b4d4427eb8221381154ff4cb2 + - MD5=faf87749ac790ec3a10dd069d10f9d63 + - MD5=f296dba5d21ad18e6990b1992aea8f83 + - MD5=93ba94355e794b6c6f98204cf39f7a11 + - MD5=a258ef593ac63155523a461ecc73bdba + - MD5=97000eb5d1653f1140ee3f47186463c4 + - MD5=95eb317fbbe14a82bd9fdf31c48b8d93 + - MD5=32fe9f0d2630ac40ea29023920f20f49 + - MD5=a05930dde939cfd02677fc18bb2b7df5 + - MD5=124283924e86933ff9054a549d3a268b + - MD5=ceda6909b8573fdeb0351c6920225686 + - MD5=60ce120040f2cd311c810ae6f6bbc182 + - MD5=2f10cdc5b09100a260703a28eadd0ceb + - MD5=011d967028e797a4c16d547f7ba1463f + - MD5=2da9152c0970500c697c1c9b4a9e0360 + - MD5=b5ba72034b8f44d431f55275bace9f8b + - MD5=d6ed9101df0f24e27ff92ddab42dacca + - MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d + - MD5=5e083cd0143ae95a6cb79b68c07ca573 + - MD5=28caff93748cb84be70486e79f04c2df + - MD5=9d4f12c30f9b500f896efd1800e4dd11 + - MD5=4586f7dd14271ad65a5fb696b393f4c0 + - MD5=86ba9dddbdf49215145b5bcd081d4011 + - MD5=9dce0a481343874ef9a36c9a825ef991 + - MD5=85890f62e231ad964b1fda7a674747ec + - MD5=599be548da6441d7fe3e9a1bb8cb0833 + - MD5=9b0c7fd5763f66e9b8c7b457fce53f96 + - MD5=32d45718164205aec3e98e0223717d1d + - MD5=6ff5f373ee7f794cd17db50704d00ddb + - MD5=88efbdf41f0650f8f58a3053b0ca0459 + - MD5=ef915f61f861d1fb7cbde9afd2e7bd93 + - MD5=781fa16511a595757154b4304d2dd350 + - MD5=5018ec39be0e296f4fc8c8575bfa8486 + - MD5=f4a84d6f1caf0875b50135423d04139f + - SHA1=9c1431801fa6342ed68f047842b9a11778fc669b + - SHA1=c36c862f40dad78cb065197aad15fef690c262f2 + - SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d + - SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f + - SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa + - SHA1=f14c9633040897d375e3069fddc71e859f283778 + - SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc + - SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937 + - SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36 + - SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b + - SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc + - SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11 + - SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995 + - SHA1=607e1fa810c799735221a609af3bfc405728c02d + - SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3 + - SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a + - SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491 + - SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178 + - SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4 + - SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84 + - SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea + - SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17 + - SHA1=81d67b3d70c4e855cb11a453cc32997517708362 + - SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad + - SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2 + - SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92 + - SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1 + - SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a + - SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db + - SHA1=3150f14508ee4cae19cf09083499d1cda8426540 + - SHA1=036ad9876fa552b1298c040e233d620ea44689c6 + - SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5 + - SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c + - SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d + - SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4 + - SHA1=c82152cddf9e5df49094686531872ecd545976db + - SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61 + - SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836 + - SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719 + - SHA1=34c0c5839af1c92bce7562b91418443a2044c90d + - SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08 + - SHA1=3a515551814775df0ccbe09f219bc972eae45a10 + - SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b + - SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85 + - SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03 + - SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795 + - SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f + - SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a + - SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275 + - SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b + - SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2 + - SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae + - SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6 + - SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a + - SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1 + - SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559 + - SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2 + - SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef + - SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d + - SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524 + - SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b + - SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b + - SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629 + - SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358 + - SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca + - SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea + - SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172 + - SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4 + - SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2 + - SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66 + - SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27 + - SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41 + - SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1 + - SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0 + - SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8 + - SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d + - SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726 + - SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90 + - SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5 + - SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140 + - SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87 + - SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892 + - SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054 + - SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd + - Image|endswith: \PingCastle.exe + - OriginalFileName: PingCastle.exe + - Product: Ping Castle + - CommandLine|contains: + - --scanner aclcheck + - --scanner antivirus + - --scanner computerversion + - --scanner foreignusers + - --scanner laps_bitlocker + - --scanner localadmin + - --scanner nullsession + - --scanner nullsession-trust + - --scanner oxidbindings + - --scanner remote + - --scanner share + - --scanner smb + - --scanner smb3querynetwork + - --scanner spooler + - --scanner startup + - --scanner zerologon + - CommandLine|contains: --no-enum-limit + - CommandLine|contains|all: + - --healthcheck + - --level Full + - CommandLine|contains|all: + - --healthcheck + - '--server ' + condition: process_creation and selection +falsepositives: + - Unknown +level: medium +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml b/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml new file mode 100644 index 000000000..30b376ac7 --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml @@ -0,0 +1,99 @@ +title: PUA - PingCastle Execution From Potentially Suspicious Parent +id: b37998de-a70b-4f33-b219-ec36bf433dc0 +related: + - id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c + type: derived +status: experimental +description: 'Detects the execution of PingCastle, a tool designed to quickly assess + the Active Directory security level via a script located in a potentially suspicious + or uncommon location. + + ' +references: + - https://github.com/vletoux/pingcastle + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450 + - https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680 + - https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699 + - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8 + - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2024/01/11 +tags: + - attack.reconnaissance + - attack.t1595 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection_parent_ext: + ParentCommandLine|contains: + - .bat + - .chm + - .cmd + - .hta + - .htm + - .html + - .js + - .lnk + - .ps1 + - .vbe + - .vbs + - .wsf + selection_parent_path_1: + ParentCommandLine|contains: + - :\Perflogs\ + - :\Temp\ + - :\Users\Public\ + - :\Windows\Temp\ + - \AppData\Local\Temp + - \AppData\Roaming\ + - \Temporary Internet + selection_parent_path_2: + - ParentCommandLine|contains|all: + - :\Users\ + - \Favorites\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Favourites\ + - ParentCommandLine|contains|all: + - :\Users\ + - \Contacts\ + selection_cli: + - Image|endswith: \PingCastle.exe + - OriginalFileName: PingCastle.exe + - Product: Ping Castle + - CommandLine|contains: + - --scanner aclcheck + - --scanner antivirus + - --scanner computerversion + - --scanner foreignusers + - --scanner laps_bitlocker + - --scanner localadmin + - --scanner nullsession + - --scanner nullsession-trust + - --scanner oxidbindings + - --scanner remote + - --scanner share + - --scanner smb + - --scanner smb3querynetwork + - --scanner spooler + - --scanner startup + - --scanner zerologon + - CommandLine|contains: --no-enum-limit + - CommandLine|contains|all: + - --healthcheck + - --level Full + - CommandLine|contains|all: + - --healthcheck + - '--server ' + condition: process_creation and (1 of selection_parent_* and selection_parent_ext + and selection_cli) +falsepositives: + - Unknown +level: high +ruletype: Sigma diff --git a/sigma/sysmon/process_creation/proc_creation_win_renamed_pingcastle.yml b/sigma/sysmon/process_creation/proc_creation_win_renamed_pingcastle.yml new file mode 100644 index 000000000..b2a30c95c --- /dev/null +++ b/sigma/sysmon/process_creation/proc_creation_win_renamed_pingcastle.yml @@ -0,0 +1,62 @@ +title: Renamed PingCastle Binary Execution +id: 2433a154-bb3d-42e4-86c3-a26bdac91c45 +status: experimental +description: Detects the execution of a renamed "PingCastle" binary based on the PE + metadata fields. +references: + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://www.pingcastle.com/documentation/scanner/ +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2024/01/11 +tags: + - attack.execution + - attack.t1059 + - attack.defense_evasion + - attack.t1202 + - sysmon +logsource: + category: process_creation + product: windows +detection: + process_creation: + EventID: 1 + Channel: Microsoft-Windows-Sysmon/Operational + selection: + - OriginalFileName: + - PingCastleReporting.exe + - PingCastleCloud.exe + - PingCastle.exe + - CommandLine|contains: + - --scanner aclcheck + - --scanner antivirus + - --scanner computerversion + - --scanner foreignusers + - --scanner laps_bitlocker + - --scanner localadmin + - --scanner nullsession + - --scanner nullsession-trust + - --scanner oxidbindings + - --scanner remote + - --scanner share + - --scanner smb + - --scanner smb3querynetwork + - --scanner spooler + - --scanner startup + - --scanner zerologon + - CommandLine|contains: --no-enum-limit + - CommandLine|contains|all: + - --healthcheck + - --level Full + - CommandLine|contains|all: + - --healthcheck + - '--server ' + filter_main_img: + Image|endswith: + - \PingCastleReporting.exe + - \PingCastleCloud.exe + - \PingCastle.exe + condition: process_creation and (selection and not 1 of filter_main_*) +falsepositives: + - Unknown +level: high +ruletype: Sigma