From 80fee4b9b9be4c110f10cf8b93f4e6d30f147efd Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 7 Feb 2025 14:26:58 -0500 Subject: [PATCH 01/13] Add files via upload --- lookups/windows_suspicious_services.csv | 93 +++++++++++++++++++++++++ lookups/windows_suspicious_services.yml | 14 ++++ 2 files changed, 107 insertions(+) create mode 100644 lookups/windows_suspicious_services.csv create mode 100644 lookups/windows_suspicious_services.yml diff --git a/lookups/windows_suspicious_services.csv b/lookups/windows_suspicious_services.csv new file mode 100644 index 0000000000..3a2355cf28 --- /dev/null +++ b/lookups/windows_suspicious_services.csv @@ -0,0 +1,93 @@ +service_name,service_path,tool_name,tool_category,tool_type,severity,comment,reference +*mimidrv*,,mimidrv,Credential Access,offensive_tool,critical,,https://github.com/mthcht/awesome-lists +*mimikatz*,,mimidrv,Credential Access,offensive_tool,critical,,https://github.com/mthcht/awesome-lists +*sharpsploit*,,sharpsploit,Lateral Movement,offensive_tool,critical,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SharpSploit.csv,https://github.com/cobbr/SharpSploit/blob/c16931ddb8cd2335e0bd26feb9aaa35f449d48db/SharpSploit/LateralMovement/SCM.cs#L209 +3proxy,,3proxy,Defense Evasion,offensive_tool,medium,https://github.com/3proxy/3proxy/blob/a80bef9ecf0c0ed98ccb1a1a764f6b79a620b78f/src/stringtable.c#L14,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/_Others/3proxy.csv +AADInternals,,AADInternals,Credential Access,greyware_tools,high,A little service to steal the AD FS DKM secret,https://github.com/Gerenios/AADInternals/blob/0fa2edf5676439cd3fe7c92ed8006b63f0be9632/ADFS.ps1#L484C132-L484C144 +aswSP_ArPot1,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf +aswSP_ArPot2,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf +aswSP_ArPot3,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf +aswSP_ArPots,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf +BadWindowsService,,BadWindowsService,Privilege Escalation,offensive_tool,critical,https://github.com/eladshamir/BadWindowsService/blob/a7057720763fceaa7cbac9088d4c69b43d17a28f/BadWindowsService/ProjectInstaller.Designer.cs#L44,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/A-C/BadWindowsService.csv +BlockNewProc,,BlockNewProc,Defense Evasion,offensive_tool,critical,PoCs to block new process with Process Notify Callback method - BlockNewProc,https://github.com/daem0nc0re/VectorKernel/blob/main/BlockNewProc/README.md +BTOBTO,,smbExec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv +c3pool_miner,,xmrig,Cryptominer,greyware_tool,critical,https://github.com/C3Pool/xmrig_setup/blob/82c4e9bf7ee3c0c9cd925ede6e46e9ed4cc5f195/setup_c3pool_miner.bat#L380,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/xmrig.csv +chopper,,TChopper,Lateral Movement,offensive_tool,critical,https://github.com/lawrenceamer/TChopper/blob/f7383a36af813019ebefb70803dc82a842ed9273/chopper.lpr#L237C25-L237C34,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Tchopper.csv +CorpVPN,,UacMe,Persistence,offensive_tool,critical,https://github.com/r00t-3xp10it/redpill/blob/611d39b8bff717ac84d58550dc04e1b312acb19e/bin/UacMe.ps1#L291,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/redpill.csv +CreateToken,,CreateToken,Privilege Escalation,offensive_tool,critical,PoCs to get full privileged SYSTEM token with `ZwCreateToken()` API - CreateToken,https://github.com/daem0nc0re/VectorKernel/blob/main/CreateToken/README.md +CreatSvcRpc_*,,CreateSvcRpc,Privilege Escalation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SspiUacBypass.csv +csexecsvc,,csexec,Lateral Movement,offensive_tool,critical,https://github.com/malcomvetter/CSExec/blob/d6bd3f97e66dc65ccf64d9102a33379fdb769614/csexecsvc/Program.cs#L13,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/csexec.csv +CyberGhost 6 Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhost 7 Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhost 8 Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhost Tunnel Client: CyberGhost-WireGuard-1,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhost6Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: C:\Program Files\CyberGhost 6\Dashboard.Service.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhost7Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: C:\Program Files\CyberGhost 7\Dashboard.Service.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhost8Service,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: C:\Program Files\CyberGhost 8\Dashboard.Service.exe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +CyberGhostTunnel$CyberGhost-WireGuard-1,,CyberGhostVPN,VPN,greyware_tool,high,https://www.cyberghostvpn.com/ - command: \Program Files\CyberGhost 8\Applications\VPN\WGHelper.exe /service C:\Windows\system32\config\systemprofile\AppData\Local\CyberGhost\WGSession-1\CyberGhost-WireGuard-1.conf,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/A-C/CyberGhost%20VPN.csv +dcrypt,,DiskCryptor,Impact,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/DiskCryptor.csv +dnsproxy,,dns-proxy,Defense Evasion,offensive_tool,critical,dnsproxy service,https://github.com/AdguardTeam/dnsproxy/pull/194/files +final_seg,,TChopper,Lateral Movement,offensive_tool,critical,https://github.com/lawrenceamer/TChopper/blob/f7383a36af813019ebefb70803dc82a842ed9273/chopper.lpr#L237C25-L237C34,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/Tchopper.csv +GetFullPrivs,,GetFullPrivs,Privilege Escalation,offensive_tool,critical,PoCs to get full privileges with DKOM method - GetFullPrivs,https://github.com/daem0nc0re/VectorKernel/blob/main/GetFullPrivs/README.md +GetProcHandle,,GetProcHandle,Privilege Escalation,offensive_tool,critical,PoCs to get full access process handle from kernelmode - GetProcHandle,https://github.com/daem0nc0re/VectorKernel/blob/main/GetProcHandle/README.md +GoodSync Server,,goodync,Data Exfiltration,greyware_tool,high,,https://www.goodsync.com/ +InjectLibrary,,InjectLibrary,Defense Evasion,offensive_tool,critical,PoCs to perform DLL injection with Kernel APC Injection method - InjectLibrary,https://github.com/daem0nc0re/VectorKernel/blob/main/InjectLibrary/README.md +KrbSCM,,KrbRelayUp,Privilege Escalation,offensive_tool,critical,https://github.com/Dec0ne/KrbRelayUp/blob/e919f78afbacdb2c2e86f17267674069a377011c/README.md?plain=1#L90,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/KrbRelayUp.csv +KrbSCM,,S4UTomato,Privilege Escalation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/S4UTomato.csv +MagnetRAMCapture Driver,,MAGNET RAM Capture,Credential Access,greyware_tool,critical,,https://startupstash.com/tools/magnet-ram-capture/ +maint,,impacketremoteshell,Lateral Movement,offensive_tool,high,default service name installed https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/impacketremoteshell/RemoteMaint/main.cpp#L108,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/impacketremoteshell.csv +MakeMeAdmin,,MakeMeAdmin,Privilege Escalation,offensive_tool,high,Enables users to elevate themselves to administrator-level rights https://github.com/pseymour/MakeMeAdmin/blob/18ea04be3dbc6e7cab8096558a3b02ef8f8682f6/Service/ProjectInstaller.Designer.cs#L63,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/MakeMeAdmin.csv +Meterpreter,,metasploit,C2,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv +metsvc,metsvc-server.exe,Metasploit server,Exploitation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/metasploit.csv +ModHide,,ModHide,Defense Evasion,offensive_tool,critical,PoCs to hide loaded kernel drivers with DKOM method - ModHide,https://github.com/daem0nc0re/VectorKernel/blob/main/ModHide/README.md +Neo_VPN,*\System32\drivers\Neo6_x64_VPN.sys,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv +NoRebootSvc,NoReboot.exe,PSBits NoReboot.c,,offensive_tool,high,,https://github.com/gtworek/PSBits/blob/master/NoRebootSvc/readme.md +Npcap Packet Driver (NPCAP),,NpCap Windows Packet Capture Library & Driver,Collection,greyware_tool,low,,https://github.com/nmap/npcap +OpenSSH SSH Server,,OpenSSH Server,C2,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/Openssh.csv +PAExec,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv +PAExec-*,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv +PCHunter*,,PCHunter,Defense Evasion,greyware_tool,medium,PCHunter service name installation - https://www.majorgeeks.com/files/details/pc_hunter.html,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PCHunter.csv +physmem2profit,,physmem2profit,Credential Access,offensive_tool,critical,https://github.com/WithSecureLabs/physmem2profit/blob/2f64133bd9931303b8ae47630835e96347e0f294/server/Plugins/WinPmem.cs#L11,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/physmem2profit.csv +PowerUpService,,PowerSploit Privesc.tests.ps1,Privilege Escalation,offensive_tool,critical,,https://github.com/PowerShellMafia/PowerSploit/blob/master/Tests/Privesc.tests.ps1 +PPLBlade,,pplblade,Defense Evasion,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PPLBlade.csv +ProcExp,,DriverDump,Persistence,offensive_tool,critical,This program configures and loads a Windows service to manage a driver https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/driverdump/DriverDump/DriverDump.c#L45,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/DriverDump.csv +ProcHide,,ProcHide,Defense Evasion,offensive_tool,critical,PoCs to hide process with DKOM method - ProcHide,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcHide/README.md +ProcProtect,,ProcProtect,Defense Evasion,offensive_tool,critical,PoCs to manipulate Protected Process - ProcProtect,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcProtect/README.md +PSEXESVC,*PSEXESVC.exe*,psexec,Lateral Movement,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/psexec.csv +pwdump*,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/pwdump.csv +PWDumpX Service,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PWDumpX.csv +QueryModule,,QueryModule,Collection,offensive_tool,medium,PoCs to perform retrieving kernel driver loaded address information - QueryModule,https://github.com/daem0nc0re/VectorKernel/blob/main/QueryModule/README.md +RandomService,,Invoke-SMBRemoting,Lateral Movement,offensive_tool,critical,Invoke-SMBRemoting service example,https://github.com/Leo4j/Amnesiac/blob/216ba3a280bf49ea3f5b1afab80f843bbde3548d/Tools/Invoke-SMBRemoting.ps1#L33C99-L33C113 +RemCom Service,,RemCom.exe,Lateral movement,offensive_tool,critical,,https://github.com/kavika13/RemCom +REPLACE_ME_DummyServiceName,,netexec,Credential Access,offensive_tool,critical,https://github.com/Pennyw0rth/NetExec/blob/b855dac2b696ea1b744f10a0573c6b394670a5cb/nxc/data/keepass_trigger_module/RestartKeePass.ps1#L4,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/NetExec.csv +Ring0NamedPipeFilter,,NamedPipeMaster,Privilege Escalation,offensive_tool,critical,https://github.com/gavz/NamedPipeMaster,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/NamedPipeMaster.csv +Service_*,,PsMapExec,Lateral Movement,offensive_tool,critical,PsMapExec creating services regex detection: Service_[A-Za-z]{16},https://github.com/The-Viper-One/PsMapExec/blob/0ae7a6967c07bf3ebf555e665d4c43ce86c6addf/PsMapExec.ps1#L1488 +sesshijack,,atomic-red-team test T1563.002,Persistence,offensive_tool,high,,https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md?plain=1 +SEVPNCLIENTDEV,*\Program Files\SoftEther VPN Client Developer Edition\vpnclient.exe*,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv +Shadowsocks Local Service,,Shadowsocks,C2,greyware_tool,high,https://github.com/shadowsocks/shadowsocks-rust/blob/846752866e0b52c3d93efa2036204eadc36cc696/README.md?plain=1#L458,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/shadowsocks.csv +shadowsocks-local-service,,Shadowsocks,C2,greyware_tool,high,https://github.com/shadowsocks/shadowsocks-rust/blob/846752866e0b52c3d93efa2036204eadc36cc696/README.md?plain=1#L458,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/shadowsocks.csv +SilkService,,SilkETW,Discovery,greyware_tool,low,C# wrappers for ETW - meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection,https://github.com/mandiant/SilkETW +sliver*,,sliver,C2,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/sliver.csv +SoftEther VPN*,,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv +sshd,,OpenSSH Server,C2,greyware_tool,high,https://github.com/PowerShell/openssh-portable/blob/661803c9ec4d7dee6574eb6ff0c85b2b7006edb1/contrib/win32/openssh/install-sshd.ps1#L137C1-L138C1,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/Openssh.csv +StealToken,,StealToken,Credential Access,offensive_tool,critical,PoCs to perform token stealing from kernelmode - StealToken,https://github.com/daem0nc0re/VectorKernel/blob/main/CreateToken/README.md +svcEasySystem,,p0wnedShell,Privilege Escalation,offensive_tool,critical,https://github.com/Cn33liz/p0wnedShell/blob/35853bcc2a184f0e0fa7b18b0e54d4ad7a985ed6/p0wnedShell/Modules/PrivEsc/p0wnedEasySystem.cs#L582C33-L582C46,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/p0wnedShell.csv +svcHighPriv,,EasySystem,Privilege Escalation,offensive_tool,critical,https://github.com/S3cur3Th1sSh1t/Creds/blob/f71e780c51fdc2fdabe4e51831fa6289b1bede96/Csharp/NamedPipeSystem.cs#L28,https://github.com/mthcht/awesome-lists +TestService,,SharpyStay default,Persistence,offensive_tool,critical,,https://github.com/antonioCoco/SharPyShell/blob/29718225791f11fd3d66dd03df4c05c414256630/modules/ps_modules/Get-System.ps1#L89 +TestSVC,,SharpyShell - Get-System.ps1 default service name,Privilege Escalation,offensive_tool,critical,,https://github.com/antonioCoco/SharPyShell/blob/29718225791f11fd3d66dd03df4c05c414256630/modules/ps_modules/Get-System.ps1#L89 +UACBypassedService,,S4UTomato & KRBUACBypass,Privilege Escalation,offensive_tool,critical,https://github.com/wh0amitz/S4UTomato/blob/c709a2997efb1b30375c5134ff57eb49ec177918/S4UTomato/lib/KrbSCM.cs#L10 - https://github.com/wh0amitz/KRBUACBypass/blob/e2ad3ff8b5810dda0b2d75442f1c67aef7e3c4c1/KRBUACBypass/lib/KrbSCM.cs#L10,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/S4UTomato.csv +VPN Client Device Driver - VPN,,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv +WCESERVICE,,wce,Lateral Movement,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/wce.csv +windows_monitoring,,social-engineer-toolkit persistence payload,Persistence,offensive_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/social-engineer-toolkit.csv +winexesvc,,winexe,Lateral Movement,greyware_tool,low,https://www.kali.org/tools/winexe,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/winexe.csv +WinPwnage,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/persist/persistMethod12.py#L24,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv +WinPwnageVPN,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/uac/uacMethod13.py#L54,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv +WinRing0_*,,xmrig,Cryptomining,greyware_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/xmrig.csv +wsc_proxy,,no_defender,Defense Evasion,offensive_tool,low,technique observed with the tool no_defender https://github.com/es3n1n/no-defender - subject to false positives if avast is installed,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/no_defender.csv +,*\tmp\*,others,Defense Evasions,greyware_tool,medium,suspicious paths,https://github.com/mthcht/awesome-lists +,*\Temp\*,others,Defense Evasions,greyware_tool,medium,suspicious paths,https://github.com/mthcht/awesome-lists +,*\Users\Public\*,suspicious path,Defense Evasions,greyware_tool,critical,suspicious paths,https://github.com/mthcht/awesome-lists +,*%COMSPEC%*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists +,*cmd.exe*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists +,*echo*\pipe\*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists +,\\127.0.0.1\ADMIN$\*,cobaltstrike beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists \ No newline at end of file diff --git a/lookups/windows_suspicious_services.yml b/lookups/windows_suspicious_services.yml new file mode 100644 index 0000000000..cf85cbbf98 --- /dev/null +++ b/lookups/windows_suspicious_services.yml @@ -0,0 +1,14 @@ +name: windows_suspicious_services +date: 2025-02-07 +version: 1 +id: 8c214005-2b4e-49c8-bba6-747005f11296 +author: Steven Dick +lookup_type: csv +description: A list of suspicious Windows Service names and locations +default_match: false +match_type: +- WILDCARD(service_name) +- WILDCARD(service_path) +min_matches: 1 +max_matches: 1 +case_sensitive_match: false \ No newline at end of file From d82968a9efbf489cb47f5023c8c509419ceda9f6 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 7 Feb 2025 14:27:33 -0500 Subject: [PATCH 02/13] Add files via upload --- ...e_created_with_suspicious_service_name.yml | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 detections/endpoint/windows_service_created_with_suspicious_service_name.yml diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml new file mode 100644 index 0000000000..7b1081e90f --- /dev/null +++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml @@ -0,0 +1,79 @@ +name: Windows Service Created with Suspicious Service Name +id: 35eb6d19-a497-400c-93c5-645562804b11 +version: 1 +date: '2025-02-07' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment. +data_source: +- Windows Event Log System 7045 +search: |- + `wineventlog_system` EventCode=7045 + | stats values(user) as user, values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID + | eval process_name = mvindex(split(process,"\\"),-1) + | rename Computer as dest, ServiceName as object_name, ServiceType as object_type + | lookup windows_suspicious_services service_name as object_name + | where isnotnull(tool_type) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_service_created_with_suspicious_service_name_filter` +how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. +known_false_positives: Legitimate applications may install services with uncommon services paths. +references: +- https://attack.mitre.org/techniques/T1569/002/ +- https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16 +- https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ +- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_services_names_list.csv +drilldown_searches: +- name: View the detection results for - "$dest$"" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate service events on $dest$ + search: '`wineventlog_system` EventCode=7045 ServiceName = "$object_name$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A known malicious service name $object_name$ was created using $process$ on $dest$, this may indicate the presence of [$tool_name$] + risk_objects: + - field: dest + type: system + score: 75 + - field: user + type: user + score: 75 + threat_objects: + - field: process + type: file_name + - field: object_name + type: object_name +tags: + analytic_story: + - Active Directory Lateral Movement + - Brute Ratel C4 + - CISA AA23-347A + - Clop Ransomware + - Flax Typhoon + - PlugX + - Qakbot + - Snake Malware + asset_type: Endpoint + mitre_attack_id: + - T1569 + - T1569.002 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log + source: XmlWinEventLog:System + sourcetype: XmlWinEventLog \ No newline at end of file From 71f1b53016fc80186b3b28304ca221c3dab5386f Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 7 Feb 2025 14:38:57 -0500 Subject: [PATCH 03/13] Update windows_suspicious_services.csv --- lookups/windows_suspicious_services.csv | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lookups/windows_suspicious_services.csv b/lookups/windows_suspicious_services.csv index 3a2355cf28..84a3912add 100644 --- a/lookups/windows_suspicious_services.csv +++ b/lookups/windows_suspicious_services.csv @@ -8,6 +8,8 @@ aswSP_ArPot1,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI aswSP_ArPot2,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf aswSP_ArPot3,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf aswSP_ArPots,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf +SecurityCenterIBM,,Cl0p Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html +WinCheckDRVs,,Cl0p Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html BadWindowsService,,BadWindowsService,Privilege Escalation,offensive_tool,critical,https://github.com/eladshamir/BadWindowsService/blob/a7057720763fceaa7cbac9088d4c69b43d17a28f/BadWindowsService/ProjectInstaller.Designer.cs#L44,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/A-C/BadWindowsService.csv BlockNewProc,,BlockNewProc,Defense Evasion,offensive_tool,critical,PoCs to block new process with Process Notify Callback method - BlockNewProc,https://github.com/daem0nc0re/VectorKernel/blob/main/BlockNewProc/README.md BTOBTO,,smbExec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv @@ -90,4 +92,4 @@ wsc_proxy,,no_defender,Defense Evasion,offensive_tool,low,technique observed wit ,*%COMSPEC%*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists ,*cmd.exe*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists ,*echo*\pipe\*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists -,\\127.0.0.1\ADMIN$\*,cobaltstrike beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists \ No newline at end of file +,\\127.0.0.1\ADMIN$\*,cobaltstrike beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists From e0bb7ec748892ffb9a4d49c924dec656a7052297 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 7 Feb 2025 14:39:17 -0500 Subject: [PATCH 04/13] Update windows_suspicious_services.csv --- lookups/windows_suspicious_services.csv | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lookups/windows_suspicious_services.csv b/lookups/windows_suspicious_services.csv index 84a3912add..5452862c68 100644 --- a/lookups/windows_suspicious_services.csv +++ b/lookups/windows_suspicious_services.csv @@ -8,8 +8,8 @@ aswSP_ArPot1,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI aswSP_ArPot2,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf aswSP_ArPot3,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf aswSP_ArPots,,killProcessPOC,Defense Evasion,offensive_tool,high,abused by MONTI ransomware,https://github.com/timwhitez/killProcessPOC - https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/I-K/killProcessPOC.csv - https://www.withsecure.com/content/dam/with-secure/en/resources/WS_Professionalisation_of_CyberCrime_EN.pdf -SecurityCenterIBM,,Cl0p Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html -WinCheckDRVs,,Cl0p Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html +SecurityCenterIBM,,Clop Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html +WinCheckDRVs,,Clop Ransomware,Defense Evasion,offensive_tool,high,abused by Clop ransomware,https://blog.virustotal.com/2020/11/keep-your-friends-close-keep-ransomware.html BadWindowsService,,BadWindowsService,Privilege Escalation,offensive_tool,critical,https://github.com/eladshamir/BadWindowsService/blob/a7057720763fceaa7cbac9088d4c69b43d17a28f/BadWindowsService/ProjectInstaller.Designer.cs#L44,https://github.com/mthcht/ThreatHunting-Keywords/tree/main/tools/A-C/BadWindowsService.csv BlockNewProc,,BlockNewProc,Defense Evasion,offensive_tool,critical,PoCs to block new process with Process Notify Callback method - BlockNewProc,https://github.com/daem0nc0re/VectorKernel/blob/main/BlockNewProc/README.md BTOBTO,,smbExec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/impacket.csv From 658c2e6a5eb12ad8d4c1c80ae93f4f1f3f857b54 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 7 Feb 2025 14:42:13 -0500 Subject: [PATCH 05/13] Update windows_service_created_with_suspicious_service_name.yml --- ...windows_service_created_with_suspicious_service_name.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml index 7b1081e90f..6e98bb1dde 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml @@ -49,9 +49,9 @@ rba: score: 75 threat_objects: - field: process - type: file_name + type: process - field: object_name - type: object_name + type: signature tags: analytic_story: - Active Directory Lateral Movement @@ -76,4 +76,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log source: XmlWinEventLog:System - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog From 1946c4eeae719f12065e26919710378570e70536 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 7 Feb 2025 14:45:27 -0500 Subject: [PATCH 06/13] Update windows_service_created_with_suspicious_service_name.yml --- .../windows_service_created_with_suspicious_service_name.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml index 6e98bb1dde..e7567eb9bf 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml @@ -14,7 +14,7 @@ search: |- | eval process_name = mvindex(split(process,"\\"),-1) | rename Computer as dest, ServiceName as object_name, ServiceType as object_type | lookup windows_suspicious_services service_name as object_name - | where isnotnull(tool_type) + | where isnotnull(tool_name) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_created_with_suspicious_service_name_filter` From d254729f9b8e04ff2560633303bde2ac275f90d8 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 13 Feb 2025 19:37:50 -0500 Subject: [PATCH 07/13] Add files via upload --- ...ity_telemetry_suspicious_child_process.yml | 65 +++++++++++++++++ ...y_telemetry_tampering_through_registry.yml | 69 +++++++++++++++++++ 2 files changed, 134 insertions(+) create mode 100644 detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml create mode 100644 detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml diff --git a/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml b/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml new file mode 100644 index 0000000000..14435b76f1 --- /dev/null +++ b/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml @@ -0,0 +1,65 @@ +name: Windows Compatibility Telemetry Suspicious Child Process +id: 56fe46ca-ffef-46fe-8f0e-5cd4b7b4cc0c +version: 1 +date: '2025-02-13' +author: Steven Dick +status: production +type: TTP +description: The following analytic detects the execution of CompatTelRunner.exe with parameters indicative of a process not part of the normal "Microsoft Compatibility Appraiser" telemetry collection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system. +data_source: +- Windows Security Event ID 4688 +- Sysmon Event ID 1 +- CrowdStrike ProcessRollup2 +search: |- + | tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name = "CompatTelRunner.exe" AND Processes.process="* -cv:*" NOT Processes.process IN ("* -m:*") BY _time span=1h Processes.user Processes.dest Processes.parent_process_name Processes.process_name + |`drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_compatibility_telemetry_suspicious_child_process_filter` +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: None identified +references: +- https://attack.mitre.org/techniques/T1546/ +- https://scythe.io/threat-thursday/windows-telemetry-persistence +- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate processes on $dest$ + search: '| from datamodel Endpoint.Processes +| search dest = "$dest$" AND process_name = "$process_name$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The process $process_name$ was launched in a suspicious manner by $parent_process_name$ on host $dest$ + risk_objects: + - field: dest + type: system + score: 70 + threat_objects: + - field: process_name + type: process +tags: + analytic_story: + - Windows Persistence Techniques + asset_type: Endpoint + mitre_attack_id: + - T1546 + - T1053.005 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml new file mode 100644 index 0000000000..b7f978477d --- /dev/null +++ b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml @@ -0,0 +1,69 @@ +name: Windows Compatibility Telemetry Tampering Through Registry +id: 43834687-cc48-4878-a2fa-f76e4271791f +version: 1 +date: '2025-02-13' +author: Steven Dick +status: production +type: TTP +description: The process $process_name$ was launched in a suspicious manner by $parent_process_name$ on host $dest$ ----- The following analytic detects the execution of CompatTelRunner.exe with parameters indicative of a process not part of the normal "Microsoft Compatibility Appraiser" telemetry collection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system. +data_source: +- Sysmon Event ID 12 +- Sysmon Event ID 13 +- Sysmon Event ID 14 +search: |- + | tstats `security_content_summariesonly` min(_time) as firstTime, max(_time) as lastTime, count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController*" AND Registry.registry_value_name="Command" NOT Registry.registry_value_data IN ("(empty)")) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid + | `drop_dm_object_name(Registry)` + | eval process = registry_value_data + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_compatibility_telemetry_tampering_through_registry_filter` +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: None identified +references: +- https://attack.mitre.org/techniques/T1546/ +- https://scythe.io/threat-thursday/windows-telemetry-persistence +- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$","$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate registry changes on $dest$ + search: '| from datamodel Endpoint.Registry +| search registry_path = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController*" AND dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The process $process$ was added to registry settings for the Compatibility Appraiser by $user$ on host $dest$ + risk_objects: + - field: dest + type: system + score: 70 + - field: user + type: user + score: 70 + threat_objects: + - field: process + type: process +tags: + analytic_story: + - Windows Persistence Techniques + asset_type: Endpoint + mitre_attack_id: + - T1546 + - T1053.005 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file From ae1abc50edb771bc744872c8494b7dbca6568de7 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 14 Feb 2025 09:18:30 -0500 Subject: [PATCH 08/13] Update windows_service_created_with_suspicious_service_name.yml --- .../windows_service_created_with_suspicious_service_name.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml index e7567eb9bf..5d7eb02d53 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml @@ -64,7 +64,6 @@ tags: - Snake Malware asset_type: Endpoint mitre_attack_id: - - T1569 - T1569.002 product: - Splunk Enterprise From 4d04bccb695e08195e99f65cfd131c6efa4c4037 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 19 Feb 2025 14:24:38 -0500 Subject: [PATCH 09/13] Update detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml As you say Co-authored-by: Nasreddine Bencherchali --- ...ndows_compatibility_telemetry_tampering_through_registry.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml index b7f978477d..3f665c4c4a 100644 --- a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml +++ b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml @@ -7,9 +7,7 @@ status: production type: TTP description: The process $process_name$ was launched in a suspicious manner by $parent_process_name$ on host $dest$ ----- The following analytic detects the execution of CompatTelRunner.exe with parameters indicative of a process not part of the normal "Microsoft Compatibility Appraiser" telemetry collection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system. data_source: -- Sysmon Event ID 12 - Sysmon Event ID 13 -- Sysmon Event ID 14 search: |- | tstats `security_content_summariesonly` min(_time) as firstTime, max(_time) as lastTime, count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController*" AND Registry.registry_value_name="Command" NOT Registry.registry_value_data IN ("(empty)")) BY Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` From e66e5e364c941b2cd94d8f1f96beea7e319c578a Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 19 Feb 2025 14:26:38 -0500 Subject: [PATCH 10/13] Update windows_compatibility_telemetry_tampering_through_registry.yml description updated --- ...ows_compatibility_telemetry_tampering_through_registry.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml index 3f665c4c4a..e2c81f0363 100644 --- a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml +++ b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml @@ -5,7 +5,7 @@ date: '2025-02-13' author: Steven Dick status: production type: TTP -description: The process $process_name$ was launched in a suspicious manner by $parent_process_name$ on host $dest$ ----- The following analytic detects the execution of CompatTelRunner.exe with parameters indicative of a process not part of the normal "Microsoft Compatibility Appraiser" telemetry collection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system. +description: The following analytic detects the execution of CompatTelRunner.exe with parameters indicative of a process not part of the normal "Microsoft Compatibility Appraiser" telemetry collection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system. data_source: - Sysmon Event ID 13 search: |- @@ -64,4 +64,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546/compattelrunner_abuse/compattelrunner_abuse.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog From dac07f62d0c4e00bd23203a59588f71e4d379a25 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 19 Feb 2025 20:59:45 +0100 Subject: [PATCH 11/13] Update windows_compatibility_telemetry_tampering_through_registry.yml --- ...ndows_compatibility_telemetry_tampering_through_registry.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml index e2c81f0363..499d13543b 100644 --- a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml +++ b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml @@ -5,7 +5,7 @@ date: '2025-02-13' author: Steven Dick status: production type: TTP -description: The following analytic detects the execution of CompatTelRunner.exe with parameters indicative of a process not part of the normal "Microsoft Compatibility Appraiser" telemetry collection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system. +description: This detection identifies suspicious modifications to the Windows Compatibility Telemetry registry settings, specifically within the "TelemetryController" registry key and "Command" registry value. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system. data_source: - Sysmon Event ID 13 search: |- From 7df0472037752996ea1e90356f962a28feab4d2f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 19 Feb 2025 21:11:52 +0100 Subject: [PATCH 12/13] update exchange macro --- detections/endpoint/exchange_powershell_abuse_via_ssrf.yml | 6 +++--- macros/exchange.yml | 4 ---- macros/windows_exchange_iis.yml | 4 ++++ 3 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 macros/exchange.yml create mode 100644 macros/windows_exchange_iis.yml diff --git a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml index aefa14a98f..782e8f3571 100644 --- a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml +++ b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml @@ -1,7 +1,7 @@ name: Exchange PowerShell Abuse via SSRF id: 29228ab4-0762-11ec-94aa-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-02-19' author: Michael Haag, Splunk status: experimental type: TTP @@ -14,7 +14,7 @@ description: The following analytic detects suspicious behavior indicative of Pr If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent control over the Exchange environment. data_source: [] -search: '`exchange` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST" +search: '`windows_exchange_iis` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST" | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_abuse_via_ssrf_filter`' diff --git a/macros/exchange.yml b/macros/exchange.yml deleted file mode 100644 index c32c147a16..0000000000 --- a/macros/exchange.yml +++ /dev/null @@ -1,4 +0,0 @@ -definition: sourcetype="MSWindows:IIS" -description: customer specific splunk configurations(eg- index, source, sourcetype). - Replace the macro definition with configurations for your Splunk Environment. -name: exchange \ No newline at end of file diff --git a/macros/windows_exchange_iis.yml b/macros/windows_exchange_iis.yml new file mode 100644 index 0000000000..52db4e12d2 --- /dev/null +++ b/macros/windows_exchange_iis.yml @@ -0,0 +1,4 @@ +definition: (sourcetype="MSWindows:2003:IIS" OR sourcetype="MSWindows:2008R2:IIS" OR sourcetype="MSWindows:2010EWS:IIS" OR sourcetype="MSWindows:2012:IIS" OR sourcetype="MSWindows:2013EWS:IIS") +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: windows_exchange_iis From fb4a5ea9f4bec9e9cb243b3ba575ee14f3408187 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 19 Feb 2025 15:29:33 -0500 Subject: [PATCH 13/13] Update windows_suspicious_services.csv nas comments --- lookups/windows_suspicious_services.csv | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/lookups/windows_suspicious_services.csv b/lookups/windows_suspicious_services.csv index 5452862c68..732f509268 100644 --- a/lookups/windows_suspicious_services.csv +++ b/lookups/windows_suspicious_services.csv @@ -35,7 +35,6 @@ GetProcHandle,,GetProcHandle,Privilege Escalation,offensive_tool,critical,PoCs t GoodSync Server,,goodync,Data Exfiltration,greyware_tool,high,,https://www.goodsync.com/ InjectLibrary,,InjectLibrary,Defense Evasion,offensive_tool,critical,PoCs to perform DLL injection with Kernel APC Injection method - InjectLibrary,https://github.com/daem0nc0re/VectorKernel/blob/main/InjectLibrary/README.md KrbSCM,,KrbRelayUp,Privilege Escalation,offensive_tool,critical,https://github.com/Dec0ne/KrbRelayUp/blob/e919f78afbacdb2c2e86f17267674069a377011c/README.md?plain=1#L90,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/I-K/KrbRelayUp.csv -KrbSCM,,S4UTomato,Privilege Escalation,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/S4UTomato.csv MagnetRAMCapture Driver,,MAGNET RAM Capture,Credential Access,greyware_tool,critical,,https://startupstash.com/tools/magnet-ram-capture/ maint,,impacketremoteshell,Lateral Movement,offensive_tool,high,default service name installed https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/impacketremoteshell/RemoteMaint/main.cpp#L108,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/impacketremoteshell.csv MakeMeAdmin,,MakeMeAdmin,Privilege Escalation,offensive_tool,high,Enables users to elevate themselves to administrator-level rights https://github.com/pseymour/MakeMeAdmin/blob/18ea04be3dbc6e7cab8096558a3b02ef8f8682f6/Service/ProjectInstaller.Designer.cs#L63,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/MakeMeAdmin.csv @@ -45,7 +44,6 @@ ModHide,,ModHide,Defense Evasion,offensive_tool,critical,PoCs to hide loaded ker Neo_VPN,*\System32\drivers\Neo6_x64_VPN.sys,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv NoRebootSvc,NoReboot.exe,PSBits NoReboot.c,,offensive_tool,high,,https://github.com/gtworek/PSBits/blob/master/NoRebootSvc/readme.md Npcap Packet Driver (NPCAP),,NpCap Windows Packet Capture Library & Driver,Collection,greyware_tool,low,,https://github.com/nmap/npcap -OpenSSH SSH Server,,OpenSSH Server,C2,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/Openssh.csv PAExec,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv PAExec-*,,paexec,Lateral Movement,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PAExec.csv PCHunter*,,PCHunter,Defense Evasion,greyware_tool,medium,PCHunter service name installation - https://www.majorgeeks.com/files/details/pc_hunter.html,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PCHunter.csv @@ -55,7 +53,6 @@ PPLBlade,,pplblade,Defense Evasion,offensive_tool,critical,,https://github.com/m ProcExp,,DriverDump,Persistence,offensive_tool,critical,This program configures and loads a Windows service to manage a driver https://github.com/trustedsec/The_Shelf/blob/feaece2bf00ba0ff46b39cadbd06803be1114d7a/POC/driverdump/DriverDump/DriverDump.c#L45,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/D-F/DriverDump.csv ProcHide,,ProcHide,Defense Evasion,offensive_tool,critical,PoCs to hide process with DKOM method - ProcHide,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcHide/README.md ProcProtect,,ProcProtect,Defense Evasion,offensive_tool,critical,PoCs to manipulate Protected Process - ProcProtect,https://github.com/daem0nc0re/VectorKernel/blob/main/ProcProtect/README.md -PSEXESVC,*PSEXESVC.exe*,psexec,Lateral Movement,greyware_tool,high,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/psexec.csv pwdump*,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/pwdump.csv PWDumpX Service,,PWDumpX,Credential Access,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/PWDumpX.csv QueryModule,,QueryModule,Collection,offensive_tool,medium,PoCs to perform retrieving kernel driver loaded address information - QueryModule,https://github.com/daem0nc0re/VectorKernel/blob/main/QueryModule/README.md @@ -71,7 +68,6 @@ shadowsocks-local-service,,Shadowsocks,C2,greyware_tool,high,https://github.com/ SilkService,,SilkETW,Discovery,greyware_tool,low,C# wrappers for ETW - meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection,https://github.com/mandiant/SilkETW sliver*,,sliver,C2,offensive_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/sliver.csv SoftEther VPN*,,SoftEtherVPN,Defense Evasion,greyware_tool,medium,https://github.com/SoftEtherVPN/SoftEtherVPN,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/R-T/SoftEtherVPN.csv -sshd,,OpenSSH Server,C2,greyware_tool,high,https://github.com/PowerShell/openssh-portable/blob/661803c9ec4d7dee6574eb6ff0c85b2b7006edb1/contrib/win32/openssh/install-sshd.ps1#L137C1-L138C1,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/Openssh.csv StealToken,,StealToken,Credential Access,offensive_tool,critical,PoCs to perform token stealing from kernelmode - StealToken,https://github.com/daem0nc0re/VectorKernel/blob/main/CreateToken/README.md svcEasySystem,,p0wnedShell,Privilege Escalation,offensive_tool,critical,https://github.com/Cn33liz/p0wnedShell/blob/35853bcc2a184f0e0fa7b18b0e54d4ad7a985ed6/p0wnedShell/Modules/PrivEsc/p0wnedEasySystem.cs#L582C33-L582C46,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/O-Q/p0wnedShell.csv svcHighPriv,,EasySystem,Privilege Escalation,offensive_tool,critical,https://github.com/S3cur3Th1sSh1t/Creds/blob/f71e780c51fdc2fdabe4e51831fa6289b1bede96/Csharp/NamedPipeSystem.cs#L28,https://github.com/mthcht/awesome-lists @@ -85,11 +81,4 @@ winexesvc,,winexe,Lateral Movement,greyware_tool,low,https://www.kali.org/tools/ WinPwnage,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/persist/persistMethod12.py#L24,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv WinPwnageVPN,,WinPwnage,Persistence,offensive_tool,critical,https://github.com/rootm0s/WinPwnage/blob/aed0389b4d20b61e3c6de611a3386d3e3fbcae01/winpwnage/functions/uac/uacMethod13.py#L54,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/U-W/WinPwnage.csv WinRing0_*,,xmrig,Cryptomining,greyware_tool,critical,,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/X-Z/xmrig.csv -wsc_proxy,,no_defender,Defense Evasion,offensive_tool,low,technique observed with the tool no_defender https://github.com/es3n1n/no-defender - subject to false positives if avast is installed,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/no_defender.csv -,*\tmp\*,others,Defense Evasions,greyware_tool,medium,suspicious paths,https://github.com/mthcht/awesome-lists -,*\Temp\*,others,Defense Evasions,greyware_tool,medium,suspicious paths,https://github.com/mthcht/awesome-lists -,*\Users\Public\*,suspicious path,Defense Evasions,greyware_tool,critical,suspicious paths,https://github.com/mthcht/awesome-lists -,*%COMSPEC%*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists -,*cmd.exe*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists -,*echo*\pipe\*,cobaltsrike & meterpreter beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists -,\\127.0.0.1\ADMIN$\*,cobaltstrike beacon,C2,offensive_tool,critical,,https://github.com/mthcht/awesome-lists +wsc_proxy,,no_defender,Defense Evasion,offensive_tool,low,technique observed with the tool no_defender https://github.com/es3n1n/no-defender - subject to false positives if avast is installed,https://github.com/mthcht/ThreatHunting-Keywords/blob/main/tools/L-N/no_defender.csv