From 2a9d7b6d964c52a11798a4800fa573b6dfc07e6e Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Thu, 12 Mar 2026 17:46:56 +0100 Subject: [PATCH] fix(rules): Eliminate false positives and apply hardening --- ...ail_access_file_access_to_sam_database.yml | 12 +++- ..._lsass_access_from_unsigned_executable.yml | 6 +- ...spicious_access_to_windows_vault_files.yml | 9 ++- ...ccess_suspicious_vault_client_dll_load.yml | 57 +++++++++++------- ...tial_access_unusual_access_to_ssh_keys.yml | 4 +- ...ccess_to_web_browser_credential_stores.yml | 12 ++-- ...on_activity_from_unhooked_ntdll_module.yml | 3 +- ...t_assembly_loaded_by_unmanaged_process.yml | 50 ++++++++++------ ...e_evasion_hidden_registry_key_creation.yml | 6 +- ...ntial_ntdll_unhooking_via_file_mapping.yml | 5 +- ...n_process_creation_from_stomped_module.yml | 44 +++++++------- ...execution_from_hollowed_memory_section.yml | 5 +- ...ss_execution_from_self_deleting_binary.yml | 14 +++-- ...on_suspicious_access_to_the_hosts_file.yml | 60 +++++++++++++++---- ...ious_html_application_script_execution.yml | 3 +- ...spicious_object_symbolic_link_creation.yml | 51 +++++++++++----- ...hread_context_set_from_unbacked_memory.yml | 5 +- ...sion_windows_defender_driver_unloading.yml | 5 +- ...ded_script_execution_via_shortcut_file.yml | 14 ++++- ...ess_potential_clickfix_infection_chain.yml | 10 ++-- ...spicious_child_process_integrity_level.yml | 15 ++++- ..._vulnerable_or_malicious_driver_loaded.yml | 11 +++- 22 files changed, 269 insertions(+), 132 deletions(-) diff --git a/rules/credentail_access_file_access_to_sam_database.yml b/rules/credentail_access_file_access_to_sam_database.yml index c0bcfd395..f47d31658 100644 --- a/rules/credentail_access_file_access_to_sam_database.yml +++ b/rules/credentail_access_file_access_to_sam_database.yml @@ -1,6 +1,6 @@ name: File access to SAM database id: e3dace20-4962-4381-884e-40dcdde66626 -version: 1.0.5 +version: 1.0.6 description: | Identifies access to the Security Account Manager on-disk database. labels: @@ -27,7 +27,15 @@ condition: > '?:\\Program Files\\*', '?:\\Program Files (x86)\\*', '?:\\Windows\\System32\\lsass.exe', - '?:\\Windows\\System32\\srtasks.exe' + '?:\\Windows\\System32\\srtasks.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\Dism.exe', + '?:\\Windows\\System32\\vmwp.exe', + '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe', + '?:\\Windows\\System32\\wuauclt.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe', + '?:\\Windows\\System32\\MRT.exe' ) min-engine-version: 3.0.0 diff --git a/rules/credential_access_lsass_access_from_unsigned_executable.yml b/rules/credential_access_lsass_access_from_unsigned_executable.yml index 4958c614c..13fca0a12 100644 --- a/rules/credential_access_lsass_access_from_unsigned_executable.yml +++ b/rules/credential_access_lsass_access_from_unsigned_executable.yml @@ -1,6 +1,6 @@ name: LSASS access from unsigned executable id: 348bf896-2201-444f-b1c9-e957a1f063bf -version: 1.0.2 +version: 1.0.3 description: | Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). Adversaries may try to dump credential information stored in the process memory of LSASS. @@ -20,7 +20,9 @@ condition: > sequence maxspan 7m by ps.uuid - |load_unsigned_executable| + |load_unsigned_executable and + ps.exe not imatches '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe' + | |((open_process) or (open_thread)) and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'| action: - name: kill diff --git a/rules/credential_access_suspicious_access_to_windows_vault_files.yml b/rules/credential_access_suspicious_access_to_windows_vault_files.yml index 005f051bc..b57c52841 100644 --- a/rules/credential_access_suspicious_access_to_windows_vault_files.yml +++ b/rules/credential_access_suspicious_access_to_windows_vault_files.yml @@ -1,6 +1,6 @@ name: Suspicious access to Windows Vault files id: 44400221-f98d-424a-9388-497c75b18924 -version: 1.0.4 +version: 1.0.5 description: | Identifies attempts from adversaries to acquire credentials from Vault files. labels: @@ -27,7 +27,12 @@ condition: > '?:\\Program Files\\*', '?:\\Program Files(x86)\\*', '?:\\Windows\\System32\\lsass.exe', - '?:\\Windows\\System32\\svchost.exe' + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\SearchProtocolHost.exe', + '?:\\Windows\\Explorer.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\*\\MsSense.exe' ) min-engine-version: 3.0.0 diff --git a/rules/credential_access_suspicious_vault_client_dll_load.yml b/rules/credential_access_suspicious_vault_client_dll_load.yml index c4fa4c515..3271bfded 100644 --- a/rules/credential_access_suspicious_vault_client_dll_load.yml +++ b/rules/credential_access_suspicious_vault_client_dll_load.yml @@ -1,6 +1,6 @@ name: Suspicious Vault client DLL load id: 64af2e2e-2309-4079-9c0f-985f1dd930f5 -version: 1.0.5 +version: 1.0.6 description: | Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided by the Credential Vault Client Library to enumerate or harvest saved credentials. @@ -23,28 +23,39 @@ condition: > maxspan 2m by ps.uuid |spawn_process and - ps.exe != '' and - not - ( - ps.exe imatches - ( - '?:\\Windows\\System32\\MDMAppInstaller.exe', - '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe', - '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe', - '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe', - '?:\\Program Files\\*.exe', - '?:\\Program Files (x86)\\*.exe', - '?:\\Windows\\winsxs\\*\\TiWorker.exe' - ) or - (ps.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.parent.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) or - (ps.exe imatches '?:\\Windows\\System32\\RuntimeBroker.exe') or - (ps.exe imatches ('?:\\Program Files\\WindowsApps\\Microsoft.*.exe', '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe')) or - (ps.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.args imatches ('-ServerName:*')) or - (ps.exe imatches '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe') or - (ps.exe imatches '?:\\WINDOWS\\uus\\*\\MoUsoCoreWorker.exe') or - (ps.parent.exe imatches '?:\\Windows\\System32\\services.exe') or - (ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe') - ) + ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and ps.exe != '' and + not (ps.exe imatches + ( + '?:\\Windows\\System32\\MDMAppInstaller.exe', + '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe', + '?:\\Windows\\uus\\*\\WaaSMedicAgent.exe', + '?:\\Windows\\System32\\UCConfigTask.exe', + '?:\\Windows\\System32\\DllHost.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe', + '?:\\Program Files\\*.exe', + '?:\\Program Files (x86)\\*.exe', + '?:\\Windows\\winsxs\\*\\TiWorker.exe', + '?:\\WINDOWS\\system32\\UCConfigTask.exe', + '?:\\Windows\\SystemApps\\MicrosoftWindows.Client.*\\SearchHost.exe', + '?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe', + '?:\\Windows\\System32\\PickerHost.exe', + '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\SearchHost.exe', + '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\AppActions.exe', + '?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe', + '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe', + '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe' + ) or + (ps.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.parent.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) or + (ps.exe imatches '?:\\Windows\\System32\\RuntimeBroker.exe') or + (ps.exe imatches ('?:\\Program Files\\WindowsApps\\Microsoft.*.exe', '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe')) or + (ps.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.args imatches ('-ServerName:*')) or + (ps.exe imatches '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe') or + (ps.parent.exe imatches '?:\\Windows\\System32\\services.exe') or + (ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe') + ) | |load_dll and dll.name ~= 'vaultcli.dll'| diff --git a/rules/credential_access_unusual_access_to_ssh_keys.yml b/rules/credential_access_unusual_access_to_ssh_keys.yml index cf092ba2d..da5aafaaa 100644 --- a/rules/credential_access_unusual_access_to_ssh_keys.yml +++ b/rules/credential_access_unusual_access_to_ssh_keys.yml @@ -1,6 +1,6 @@ name: Unusual access to SSH keys id: 90f5c1bd-abd6-4d1b-94e0-229f04473d60 -version: 1.0.5 +version: 1.0.6 description: | Identifies access by unusual process to saved SSH keys. labels: @@ -16,7 +16,7 @@ labels: condition: > open_file and - file.path imatches '?:\\Users\\*\\.ssh\\known_hosts' and + evt.pid != 4 and file.path imatches '?:\\Users\\*\\.ssh\\known_hosts' and ps.exe not imatches ( '?:\\Program Files\\*', diff --git a/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml b/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml index 75e2f10b3..b881be2ea 100644 --- a/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml +++ b/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml @@ -1,6 +1,6 @@ name: Unusual access to Web Browser Credential stores id: 9d889b2b-ca13-4a04-8919-ff1151f23a71 -version: 1.0.4 +version: 1.0.5 description: | Identifies access to Web Browser Credential stores by unusual processes. labels: @@ -16,16 +16,18 @@ labels: condition: > open_file and - file.path imatches web_browser_cred_stores and + evt.pid != 4 and file.path imatches web_browser_cred_stores and ps.name not iin web_browser_binaries and ps.exe not imatches ( '?:\\Program Files\\*', '?:\\Program Files(x86)\\*', - '*\\Windows\\System32\\SearchProtocolHost.exe', - '*\\Windows\\explorer.exe', + '?:\\Windows\\System32\\SearchProtocolHost.exe', + '?:\\Windows\\explorer.exe', '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe' + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\taskhostw.exe' ) min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_activity_from_unhooked_ntdll_module.yml b/rules/defense_evasion_activity_from_unhooked_ntdll_module.yml index 7be1bbff4..f02a05690 100644 --- a/rules/defense_evasion_activity_from_unhooked_ntdll_module.yml +++ b/rules/defense_evasion_activity_from_unhooked_ntdll_module.yml @@ -1,6 +1,6 @@ name: Activity from unhooked NTDLL module id: 24f48f6c-9d97-498d-badc-65e179d19599 -version: 1.1.0 +version: 1.1.1 description: | Detects suspicious activity originating from an unhooked or manually mapped copy of NTDLL loaded into a process. This behavior is commonly associated with defense evasion frameworks that bypass @@ -58,7 +58,6 @@ condition: > |((spawn_process) or (load_module) or (create_file) or - (set_thread_context) or (create_remote_thread) or (set_value) or (rename_file) or diff --git a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml index c8b18a2cd..fa14f3d7e 100644 --- a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml +++ b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml @@ -1,6 +1,6 @@ name: .NET assembly loaded by unmanaged process id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a -version: 1.0.11 +version: 1.2.0 description: | Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method. @@ -16,31 +16,47 @@ references: - https://www.ired.team/offensive-security/code-injection-process-injection/injecting-and-executing-.net-assemblies-to-unmanaged-process condition: > - (load_unsigned_or_untrusted_module) and - dll.path not imatches - ( - '?:\\Windows\\assembly\\*\\*.ni.dll', - '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll', - '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll', - '?:\\$WinREAgent\\Scratch\\*', - '?:\\Windows\\WinSxS\\*', - '?:\\Windows\\CbsTemp\\*', - '?:\\Windows\\SoftwareDistribution\\*' - ) and - ps.exe != '' and ps.pe.is_dotnet = false and - (dll.pe.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) and - ps.exe not imatches + sequence + maxspan 1m + by ps.uuid + |spawn_process and + ps.token.integrity_level != 'SYSTEM' and + ps.exe not imatches ( + '?:\\Windows\\system32\\DllHost.exe', + '?:\\Windows\\System32\\WindowsPowerShell\\*\\powershell.exe', '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe', '?:\\Program Files\\WindowsApps\\*\\WidgetService.exe', '?:\\Program Files\\WindowsApps\\*\\PhoneExperienceHost.exe', '?:\\Program Files\\WindowsApps\\*\\WindowsSandboxServer.exe', '?:\\Program Files\\Conexant\\SAII\\SmartAudio.exe', - '?:\\Windows\\Microsoft.NET\\Framework*\\mscorsvw.exe' + '?:\\Program Files\\WindowsApps\\Microsoft.WinDbg_*\\*.exe', + '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe', + '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe', + '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe', + '?:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_*\\WinStore.DesktopExtension\\StoreDesktopExtension.exe' ) + | + |(load_unsigned_or_untrusted_module) and + dll.path not imatches + ( + '?:\\Windows\\System32\\*.dll', + '?:\\Windows\\assembly\\*\\*.ni.dll', + '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll', + '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll', + '?:\\$WinREAgent\\Scratch\\*.dll', + '?:\\Windows\\WinSxS\\*.dll', + '?:\\Windows\\CbsTemp\\*.dll', + '?:\\Windows\\SoftwareDistribution\\*.dll', + '?:\\Program Files\\WindowsApps\\Microsoft.WindowsStore_*\\*.dll' + ) and + ps.exe != '' and ps.pe.is_dotnet = false and + (dll.pe.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) + | output: > - .NET assembly %dll.path loaded by unmanaged process %ps.exe + .NET assembly %2.dll.path loaded by unmanaged process %2.ps.exe severity: high min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_hidden_registry_key_creation.yml b/rules/defense_evasion_hidden_registry_key_creation.yml index dc7c9e8e6..a53dbc8dc 100644 --- a/rules/defense_evasion_hidden_registry_key_creation.yml +++ b/rules/defense_evasion_hidden_registry_key_creation.yml @@ -1,6 +1,6 @@ name: Hidden registry key creation id: 65deda38-9b1d-42a0-9f40-a68903e81b49 -version: 1.1.6 +version: 1.1.7 description: | Identifies the creation of a hidden registry key. Adversaries can utilize the native NtSetValueKey API to create a hidden registry key and conceal payloads @@ -28,7 +28,9 @@ condition: > '?:\\Windows\\System32\\compattelrunner.exe', '?:\\Windows\\explorer.exe', '?:\\Windows\\System32\\lsass.exe', - '?:\\Windows\\System32\\svchost.exe' + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\WinSxS\\*\\TiWorker.exe', + '?:\\Windows\\UUS\\*\\wuaucltcore.exe' ) and ps.parent.exe not imatches ( diff --git a/rules/defense_evasion_potential_ntdll_unhooking_via_file_mapping.yml b/rules/defense_evasion_potential_ntdll_unhooking_via_file_mapping.yml index 64ec59ceb..d57bf6df9 100644 --- a/rules/defense_evasion_potential_ntdll_unhooking_via_file_mapping.yml +++ b/rules/defense_evasion_potential_ntdll_unhooking_via_file_mapping.yml @@ -1,6 +1,6 @@ name: Potential NTDLL unhooking via file mapping id: b000955d-90df-44eb-8e32-8269d395f0ef -version: 1.0.0 +version: 1.0.1 description: | Identifies processes that map a fresh image view of NTDLL.dll from disk, a behavior commonly associated with user-mode API @@ -30,7 +30,8 @@ condition: > '?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\SysWOW64\\WerFault.exe', '?:\\Windows\\System32\\wermgr.exe', - '?:\\Windows\\SysWOW64\\wermgr.exe' + '?:\\Windows\\SysWOW64\\wermgr.exe', + '?:\\Windows\\System32\\taskhostw.exe' ) severity: high diff --git a/rules/defense_evasion_process_creation_from_stomped_module.yml b/rules/defense_evasion_process_creation_from_stomped_module.yml index df2a70ee5..e23200d7b 100644 --- a/rules/defense_evasion_process_creation_from_stomped_module.yml +++ b/rules/defense_evasion_process_creation_from_stomped_module.yml @@ -1,6 +1,6 @@ name: Process creation from a stomped module id: f85d1e80-49ec-4bbe-9bf5-7e2a3a8a7319 -version: 1.0.0 +version: 1.0.1 description: | Identifies the creation of the process from the parent where the call stack exhibits suspicious memory properties. The pattern is typical of stomped module @@ -19,32 +19,32 @@ references: condition: > spawn_process and + ps.sid != 'S-1-5-18' and ps.exe not imatches + ( + '?:\\Program Files\\*.exe', + '?:\\Program Files(x86)\\*.exe' + ) and foreach(thread._callstack, $frame, $frame.module imatches ('?:\\Windows\\System32\\*.dll', '?:\\Windows\\SysWOW64\\*.dll') and $frame.allocation_size >= 10000) and not foreach(thread._callstack, $frame, $frame.module imatches ( '?:\\Program Files\\*.dll', '?:\\Program Files (x86)\\*.dll', - '?:\\Windows\\System32\\umppc*.dll' - ) or - ( - $frame.allocation_size >= 10000 and $frame.module imatches - ( - '?:\\Windows\\System32\\ntdll.dll', - '?:\\Windows\\System32\\rpcrt4.dll', - '?:\\Windows\\SysWOW64\\rpcrt4.dll', - '?:\\Windows\\System32\\KernelBase.dll', - '?:\\Windows\\SysWOW64\\KernelBase.dll', - '?:\\Windows\\System32\\combase.dll', - '?:\\Windows\\SysWOW64\\combase.dll', - '?:\\Windows\\System32\\user32.dll', - '?:\\Windows\\SysWOW64\\user32.dll', - '?:\\Windows\\System32\\ws2_32.dll', - '?:\\Windows\\SysWOW64\\ws2_32.dll', - '?:\\Windows\\System32\\spool\\drivers\\*', - '?:\\Windows\\assembly\\NativeImages_*', - '?:\\Windows\\System32\\DriverStore\\FileRepository\\*' - ) - )) + '?:\\Windows\\System32\\umppc*.dll', + '?:\\Windows\\System32\\ntdll.dll', + '?:\\Windows\\System32\\rpcrt4.dll', + '?:\\Windows\\SysWOW64\\rpcrt4.dll', + '?:\\Windows\\System32\\KernelBase.dll', + '?:\\Windows\\SysWOW64\\KernelBase.dll', + '?:\\Windows\\System32\\combase.dll', + '?:\\Windows\\SysWOW64\\combase.dll', + '?:\\Windows\\System32\\user32.dll', + '?:\\Windows\\SysWOW64\\user32.dll', + '?:\\Windows\\System32\\ws2_32.dll', + '?:\\Windows\\SysWOW64\\ws2_32.dll', + '?:\\Windows\\System32\\spool\\drivers\\*', + '?:\\Windows\\assembly\\NativeImages_*', + '?:\\Windows\\System32\\DriverStore\\FileRepository\\*' + )) action: - name: kill diff --git a/rules/defense_evasion_process_execution_from_hollowed_memory_section.yml b/rules/defense_evasion_process_execution_from_hollowed_memory_section.yml index 711e4c90c..db5a7cffc 100644 --- a/rules/defense_evasion_process_execution_from_hollowed_memory_section.yml +++ b/rules/defense_evasion_process_execution_from_hollowed_memory_section.yml @@ -1,6 +1,6 @@ name: Process execution from hollowed memory section id: 2a3fbae8-5e8c-4b71-b9da-56c3958c0d53 -version: 2.1.1 +version: 2.1.2 description: | Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code @@ -35,7 +35,8 @@ condition: > ) | by ps.uuid, file.view.base |load_executable and - module.path not imatches '?:\\Windows\\SoftwareDistribution\\Download\\*\\Package_for_RollupFix*\\*.exe' + module.path not imatches '?:\\Windows\\SoftwareDistribution\\Download\\*\\Package_for_RollupFix*\\*.exe' and + (ps.exe not imatches '?:\\Windows\\System32\\conhost.exe' and ps.cmdline not imatches '*0xffffffff -ForceV1' and ps.parent.name not imatches '?:\\Windows\\System32\\WindowsPowerShell\\*\\powershell.exe') | by ps.uuid, module.base action: - name: kill diff --git a/rules/defense_evasion_process_execution_from_self_deleting_binary.yml b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml index 408bca83c..c82042e2f 100644 --- a/rules/defense_evasion_process_execution_from_self_deleting_binary.yml +++ b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml @@ -1,6 +1,6 @@ name: Process execution from a self-deleting binary id: 0f0da517-b22c-4d14-9adc-36baeb621cf7 -version: 1.0.5 +version: 1.0.6 description: | Identifies the execution of the process from a self-deleting binary. The attackers can abuse undocumented API functions to create a process from a file-backed section. The file @@ -28,12 +28,18 @@ condition: > '?:\\WINDOWS\\uus\\packages\\preview\\*\\wuaucltcore.exe', '?:\\WINDOWS\\uus\\packages\\preview\\*\\MoUsoCoreWorker.exe', '?:\\WINDOWS\\System32\\svchost.exe', - '?:\\WINDOWS\\winsxs\\*\\TiWorker.exe' + '?:\\WINDOWS\\winsxs\\*\\TiWorker.exe', + '?:\\Windows\\UUS\\*\\wuaucltcore.exe' ) and + ps.parent.exe not imatches '?:\\WINDOWS\\uus\\*\\wuaucltcore.exe' and file.path not imatches ( - '?:\\Windows\\SoftwareDistribution\\Download\\*', - '?:\\Windows\\uus\\packages\\preview\\*' + '?:\\Windows\\SoftwareDistribution\\Download\\*.exe', + '?:\\Windows\\uus\\packages\\preview\\*.exe', + '?:\\$WinREAgent\\Scratch\\*.exe', + '?:\\WINDOWS\\WinSxS\\*.exe', + '?:\\WINDOWS\\CbsTemp\\*.exe', + '?:\\WINDOWS\\SoftwareDistribution\\*.exe' ) | by file.name |load_module and ext(module.path) != '.dll'| by module.name diff --git a/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml b/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml index 5d432159f..cf7d6ac9e 100644 --- a/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml +++ b/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml @@ -1,6 +1,6 @@ name: Suspicious access to the hosts file id: f7b2c9d3-99e7-41d5-bb4a-6ea1a5f7f9e2 -version: 1.0.6 +version: 1.1.0 description: > Identifies suspicious process accessing the Windows hosts file for potential tampering. Adversaries can hijack the hosts files to block traffic to download/update servers or redirect the @@ -19,17 +19,55 @@ condition: > sequence maxspan 5m by ps.uuid - |spawn_process and ps.exe not imatches - ( - '?:\\Windows\\servicing\\TrustedInstaller.exe', - '?:\\Windows\\System32\\svchost.exe', - '?:\\Windows\\System32\\MicrosoftEdgeUpdate.exe', - '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe', - '?:\\Program Files\\Mozilla Firefox\\firefox.exe', - '?:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe' - ) + |spawn_process and + ps.sid != 'S-1-5-18' and + ps.exe not imatches + ( + '?:\\Windows\\servicing\\TrustedInstaller.exe', + '?:\\Windows\\System32\\svchost.exe', + '?:\\Windows\\System32\\wuauclt.exe', + '?:\\Windows\\UUS\\*\\wuaucltcore.exe', + '?:\\Windows\\System32\\usoclient.exe', + '?:\\Windows\\System32\\MicrosoftEdgeUpdate.exe', + '?:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe', + '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe', + '?:\\Program Files\\Mozilla Firefox\\firefox.exe', + '?:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe', + '?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe', + '?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe', + '?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe', + '?:\\Windows\\Explorer.exe', + '?:\\Program Files\\Windows Defender\\MsMpEng.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MpCmdRun.exe', + '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\NisSrv.exe', + '?:\\Windows\\System32\\drivers\\CrowdStrike\\*\\CSFalconService.exe', + '?:\\Program Files\\CrowdStrike\\*\\CSFalconService.exe', + '?:\\Program Files\\SentinelOne\\Sentinel Agent*\\SentinelAgent.exe', + '?:\\Program Files\\SentinelOne\\Sentinel Agent*\\SentinelServiceHost.exe', + '?:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe', + '?:\\Program Files (x86)\\Malwarebytes\\Anti-Malware\\MBAMService.exe', + '?:\\Program Files\\Symantec\\Symantec Endpoint Protection\\*\\Smc.exe', + '?:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\*\\Smc.exe', + '?:\\Program Files (x86)\\Trend Micro\\*\\TMBMSRV.exe', + '?:\\Program Files\\ESET\\ESET Security\\ekrn.exe', + '?:\\Program Files\\Sophos\\Sophos Anti-Virus\\SavService.exe' + ) + | + |open_file and + file.path imatches '?:\\Windows\\System32\\drivers\\etc\\hosts' and + not foreach(thread._callstack, $frame, $frame.symbol imatches + ( + '?:\\Program Files\\*\\libcef.dll!GetHandleVerifier', + '?:\\Program Files (x86)\\*\\libcef.dll!GetHandleVerifier', + '?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe!GetHandleVerifier', + '?:\\Users\\*\\AppData\\Roaming\\Spotify\\libcef.dll!GetHandleVerifier', + '?:\\Program Files\\Microsoft VS Code\\Code.exe!GetHandleVerifier', + '?:\\Program Files (x86)\\Microsoft VS Code\\Code.exe!GetHandleVerifier', + '?:\\Program Files\\Google\\Chrome\\*\\chrome.dll!*', + '?:\\Program Files (x86)\\Google\\Chrome\\*\\chrome.dll!*' + )) | - |open_file and file.path imatches '?:\\Windows\\System32\\drivers\\etc\\hosts'| action: - name: kill diff --git a/rules/defense_evasion_suspicious_html_application_script_execution.yml b/rules/defense_evasion_suspicious_html_application_script_execution.yml index 47369388b..07bfaf3c0 100644 --- a/rules/defense_evasion_suspicious_html_application_script_execution.yml +++ b/rules/defense_evasion_suspicious_html_application_script_execution.yml @@ -1,6 +1,6 @@ name: Suspicious HTML Application script execution id: 4ec64ac2-851d-41b4-b7d2-910c21de334d -version: 1.0.7 +version: 1.0.8 description: | Identifies the execution of scripts via Microsoft HTML Application Host interpreter. Adversaries can proxy the execution of arbitrary script code through a trusted, signed utility to evade defenses. @@ -31,7 +31,6 @@ condition: > '*ftp*', '*.run*', '*window.close*', - '*mshta*', '*mshtml*', '*).Exec()*', '*script*eval(*', diff --git a/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml b/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml index ffee21e07..17319a436 100644 --- a/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml +++ b/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml @@ -1,6 +1,6 @@ name: Suspicious object symbolic link creation id: f9306355-1f5f-4a06-9779-195aa681db80 -version: 1.0.5 +version: 1.1.0 description: | Identifies the creation of the object symbolic link inside the object manager namespace by untrusted or unusual processes. @@ -14,24 +14,45 @@ labels: technique.name: Exploitation for Defense Evasion technique.ref: https://attack.mitre.org/techniques/T1211/ references: + - https://projectzero.google/2026/26/windows-administrator-protection.html - https://www.cyberark.com/resources/threat-research-blog/follow-the-link-exploiting-symbolic-links-with-ease - https://www.elastic.co/kr/blog/detect-block-unknown-knowndlls-windows-acl-hardening-attacks-cache-poisoning-escalation condition: > - create_symbolic_link_object and evt.pid != 4 and - (ps.signature.exists = false or ps.signature.trusted = false or - ps.exe not imatches - ( - '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', - '?:\\WINDOWS\\system32\\svchost.exe', - '?:\\Program Files\\*', - '?:\\Program Files (x86)\\*', - '?:\\Windows\\System32\\vmwp.exe', - '?:\\Windows\\System32\\spoolsv.exe', - '?:\\Windows\\System32\\csrss.exe' - ) - ) and - evt.arg[target] not imatches '\\Sessions\\*\\AppContainerNamedObjects\\*' + create_symbolic_link_object and + evt.pid != 4 and ps.token.integrity_level != 'SYSTEM' and + evt.arg[target] imatches + ( + '\\KnownDlls*', + '\\KnownDlls32*', + '\\RPC Control*', + '\\GLOBAL??\\PhysicalDrive*', + '\\GLOBAL??\\Volume{*', + '\\??\\GLOBALROOT\\Device\\*', + '\\Sessions\\*\\DosDevices\\*' + ) and + ps.exe not imatches + ( + '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', + '?:\\WINDOWS\\System32\\svchost.exe', + '?:\\WINDOWS\\System32\\services.exe', + '?:\\Program Files\\*', + '?:\\Program Files (x86)\\*', + '?:\\Windows\\System32\\vmwp.exe', + '?:\\Windows\\System32\\spoolsv.exe', + '?:\\Windows\\System32\\csrss.exe', + '?:\\WINDOWS\\System32\\dwm.exe', + '?:\\WINDOWS\\System32\\fontdrvhost.exe', + '?:\\WINDOWS\\System32\\lsass.exe', + '?:\\WINDOWS\\System32\\winlogon.exe', + '?:\\WINDOWS\\System32\\wininit.exe', + '?:\\Windows\\servicing\\TrustedInstaller.exe', + '?:\\Windows\\System32\\TSTheme.exe', + '?:\\Windows\\System32\\taskhostw.exe', + '?:\\Windows\\System32\\RuntimeBroker.exe', + '?:\\Windows\\System32\\smartscreen.exe', + '?:\\Windows\\System32\\sihost.exe' + ) output: > Suspicious object symbolic link %evt.arg[target] created by process %ps.exe diff --git a/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml b/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml index 30f234070..fb0268d57 100644 --- a/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml +++ b/rules/defense_evasion_thread_context_set_from_unbacked_memory.yml @@ -1,6 +1,6 @@ name: Thread context set from unbacked memory id: f8219274-ee68-416b-8489-4d2e635c7844 -version: 1.0.5 +version: 1.0.6 description: | Identifies manipulation of the thread context from unbacked memory region. This may be indicative of process injection. @@ -21,6 +21,7 @@ condition: > '?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe', '?:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe', '?:\\Windows\\System32\\taskhostw.exe' - ) + ) and + (ps.exe not imatches '?:\\Program Files\\Go\\bin\\go.exe' and ps.cmdline not imatches 'go mod tidy -modfile=*.mod') min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_windows_defender_driver_unloading.yml b/rules/defense_evasion_windows_defender_driver_unloading.yml index 1b23c974c..64264cc8c 100644 --- a/rules/defense_evasion_windows_defender_driver_unloading.yml +++ b/rules/defense_evasion_windows_defender_driver_unloading.yml @@ -1,6 +1,6 @@ name: Windows Defender driver unloading id: c9b93fbc-8845-4f39-a74b-26862615432c -version: 1.0.1 +version: 1.0.2 description: | Detects the unloading of Windows Defender kernel-mode drivers, such as WdFilter.sys or WdBoot.sys, which may indicate an attempt to impair or disable antivirus protections. @@ -19,7 +19,8 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1562/001 condition: > - unload_driver and module.path imatches ('?:\\Windows\\System32\\drivers\\wd\\*.sys', '?:\\Windows\\System32\\drivers\\Wd*.sys') + unload_driver and + evt.pid != 4 and module.path imatches ('?:\\Windows\\System32\\drivers\\wd\\*.sys', '?:\\Windows\\System32\\drivers\\Wd*.sys') output: > Windows Defender driver %module.path unloaded by process %ps.exe diff --git a/rules/execution_embedded_script_execution_via_shortcut_file.yml b/rules/execution_embedded_script_execution_via_shortcut_file.yml index 4821342d9..df041e05b 100644 --- a/rules/execution_embedded_script_execution_via_shortcut_file.yml +++ b/rules/execution_embedded_script_execution_via_shortcut_file.yml @@ -1,6 +1,6 @@ name: Embedded script execution via shortcut file id: 2d94a68b-03fe-4ece-9a99-f4de8ff7261d -version: 1.0.0 +version: 1.0.1 description: | Detects execution of embedded scripts delivered via Windows shortcut (.lnk) files. Adversaries can exploit the attack chain where a shortcut file is accessed by a @@ -36,7 +36,8 @@ condition: > '?:\\Users\\*\\AppData\\LocalLow\\*', '?:\\Users\\*\\AppData\\Roaming\\*', '?:\\Users\\Public\\*' - ) + ) and + file.extension iin ('.exe', '.bat', '.com', '.scr', '.pif', '.dll', '.js', '.vbs', '.vbe', '.jse', '.wsf', '.wsh', '.hta', '.ps1', '.psm1', '.msi', '.msc', '.jar') | |spawn_process and ps.name iin @@ -48,9 +49,16 @@ condition: > 'cmd.exe', 'connhost.exe', 'rundll32.exe', + 'regsvr32.exe', 'forfiles.exe', 'wmic.exe', - 'msbuild.exe' + 'msbuild.exe', + 'java.exe', + 'javaw.exe', + 'mmc.exe', + 'cscript.exe', + 'installutil.exe', + 'scriptrunner.exe' ) | action: diff --git a/rules/initial_access_potential_clickfix_infection_chain.yml b/rules/initial_access_potential_clickfix_infection_chain.yml index b2560ae2f..1a7a7ea3c 100644 --- a/rules/initial_access_potential_clickfix_infection_chain.yml +++ b/rules/initial_access_potential_clickfix_infection_chain.yml @@ -1,11 +1,11 @@ name: Potential ClickFix infection chain id: ffe1fc54-2893-4760-ab50-51a83bd71d13 -version: 2.0.1 +version: 2.0.2 description: | - Identifies the execution of the process via the Run command dialog box, Windows Console shortuct, or Explorer address bar - followed by spawning of the potential infostealer process. - This could be indicative of the ClickFix deceptive tactic used by attackers to lure victims into executing - malicious commands under the guise of meeting pages or CAPTCHAs. + Identifies the execution of the process via the Run command dialog box, Windows Console shortuct, + or Explorer address bar followed by spawning of the potential infostealer process. + This could be indicative of the ClickFix deceptive tactic used by attackers to lure victims into + executing malicious commands under the guise of meeting pages or CAPTCHAs. labels: tactic.id: TA0001 tactic.name: Initial Access diff --git a/rules/privilege_escalation_suspicious_child_process_integrity_level.yml b/rules/privilege_escalation_suspicious_child_process_integrity_level.yml index 7439c1baa..90ebae1b7 100644 --- a/rules/privilege_escalation_suspicious_child_process_integrity_level.yml +++ b/rules/privilege_escalation_suspicious_child_process_integrity_level.yml @@ -1,6 +1,6 @@ name: Suspicious child process integrity level id: b958e949-a16a-4d66-b008-15f4e8382a6e -version: 1.0.0 +version: 1.0.1 description: | Identifies the execution of the parent process running with low/medium integrity level that spawns a child process with the system integrity level. Because normal @@ -22,7 +22,14 @@ labels: condition: > sequence maxspan 8m - |spawn_process and ps.token.integrity_level in ('LOW', 'MEDIUM')| by ps.uuid + |spawn_process and + ps.token.integrity_level in ('LOW', 'MEDIUM') and + ps.exe not imatches + ( + '?:\\Program Files\\Google\\GoogleUpdater\\*\\updater.exe', + '?:\\Program Files (x86)\\Google\\GoogleUpdater\\*\\updater.exe' + ) + | by ps.uuid |spawn_process and ps.sid = 'S-1-5-18' and ps.token.integrity_level = 'SYSTEM' and @@ -31,7 +38,9 @@ condition: > '?:\\Windows\\System32\\wermgr.exe', '?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\SysWOW64\\WerFault.exe', - '?:\\Windows\\System32\\WerFaultSecure.exe' + '?:\\Windows\\System32\\WerFaultSecure.exe', + '?:\\Program Files\\Google\\GoogleUpdater\\*\\updater.exe', + '?:\\Program Files (x86)\\Google\\GoogleUpdater\\*\\updater.exe' ) | by ps.parent.uuid action: diff --git a/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml b/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml index aa6f2b378..699ce3580 100644 --- a/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml +++ b/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml @@ -1,6 +1,6 @@ name: Vulnerable or malicious driver loaded id: e8005f1d-b4ec-45ee-a3ea-4247eac123db -version: 1.0.4 +version: 1.0.5 description: | Detects when adversaries load a vulnerable/malicious driver into the compromised system to exploit the vulnerability and @@ -16,7 +16,14 @@ references: - https://www.loldrivers.io/ condition: > - (load_driver) and (module.is_driver_vulnerable or module.is_driver_malicious) + (load_driver and module.path not imatches + ( + '?:\\$WinREAgent\\Scratch\\*', + '?:\\Windows\\WinSxS\\*', + '?:\\Windows\\CbsTemp\\*', + '?:\\Windows\\SoftwareDistribution\\*' + )) and + (module.is_driver_vulnerable or module.is_driver_malicious) output: > Vulnerable or malicious %module.path driver loaded