Closed fukusuket closed 1 year ago
title: Suspicious Service Installation
ruletype: Sigma
author: pH-T
date: 2022/03/18
description: Detects suspicious service installation commands
detection:
SELECTION_1:
Channel: System
SELECTION_2:
Provider_Name: Service Control Manager
SELECTION_3:
EventID: 7045
SELECTION_4:
ImagePath:
- '* -w hidden *'
- '* -nop *'
- '* -sta *'
- '*\Users\Public\\*'
- '*\Windows\Temp\\*'
- '*\Perflogs\\*'
- '*\\\\.\\pipe*'
- '*\ADMIN$\\*'
- '*C:\Temp\\*'
- '*.downloadstring(*'
- '*.downloadfile(*'
SELECTION_5:
ImagePath: '* -e*'
SELECTION_6:
ImagePath:
- '* JAB*'
- '* SUVYI*'
- '* SQBFAFgA*'
- '* aWV4I*'
- '* IAB*'
- '* PAA*'
- '* aQBlAHgA*'
SELECTION_7:
ImagePath: C:\WINDOWS\TEMP\thor10-remote\thor64.exe*
SELECTION_8:
ImagePath: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\\*
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) and (SELECTION_4 or
(SELECTION_5 and SELECTION_6))) and not ((SELECTION_7) or (SELECTION_8)))
falsepositives:
- Unknown
id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b
level: high
logsource:
product: windows
service: system
modified: 2022/11/14
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- car.2013-09-005
- attack.t1543.003
Since this rule's *\\\\.\\pipe*
part does not work correctly, the following high
level 6
logs are not detected
< 2016-08-19 05:03:18.175 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,6252,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: yagfag ¦ Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\many-events-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo yagfag > \\.\pipe\yagfag ¦ ServiceName: yagfag ¦ ServiceType: user mode service ¦ StartType: demand start
< 2016-09-20 06:12:10.677 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,8174,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: adsymn ¦ Path: cmd.exe /c echo adsymn > \\.\pipe\adsymn ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\many-events-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo adsymn > \\.\pipe\adsymn ¦ ServiceName: adsymn ¦ ServiceType: user mode service ¦ StartType: demand start
< 2016-09-20 06:13:04.090 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,8179,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: hmoopk ¦ Path: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\many-events-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo hmoopk > \\.\pipe\hmoopk ¦ ServiceName: hmoopk ¦ ServiceType: user mode service ¦ StartType: demand start
< 2016-09-21 01:35:58.162 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,8426,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: genusn ¦ Path: cmd.exe /c echo genusn > \\.\pipe\genusn ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\metasploit-psexec-powershell-target-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo genusn > \\.\pipe\genusn ¦ ServiceName: genusn ¦ ServiceType: user mode service ¦ StartType: demand start
< 2016-09-21 12:41:13.070 +09:00,IE10Win7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,8627,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: hgabms ¦ Path: cmd.exe /c echo hgabms > \\.\pipe\hgabms ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\DeepBlueCLI\metasploit-psexec-native-target-system.evtx,AccountName: LocalSystem ¦ ImagePath: cmd.exe /c echo hgabms > \\.\pipe\hgabms ¦ ServiceName: hgabms ¦ ServiceType: user mode service ¦ StartType: demand start
< 2019-05-12 21:52:43.702 +09:00,IEWIN7,Sys,Service Control Manager,7045,high,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,10446,Suspicious Service Installation,pH-T,2022/03/18,2022/11/14,experimental,Svc: WinPwnage ¦ Path: %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation.yml,C:\tmp\hayabusa-sample-evtx\EVTX-ATTACK-SAMPLES\Privilege Escalation\System_7045_namedpipe_privesc.evtx,AccountName: LocalSystem ¦ ImagePath: %COMSPEC% /c ping -n 1 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe ¦ ServiceName: WinPwnage ¦ ServiceType: user mode service ¦ StartType: demand start
title: Service Installation in Suspicious Folder
ruletype: Sigma
author: pH-T
date: 2022/03/18
description: Detects service installation in suspicious folder appdata
detection:
SELECTION_1:
Channel: System
SELECTION_2:
Provider_Name: Service Control Manager
SELECTION_3:
EventID: 7045
SELECTION_4:
ImagePath:
- '*\AppData\\*'
- '*\\\\127.0.0.1*'
- '*\\\\localhost*'
SELECTION_5:
ServiceName: Zoom Sharing Service
SELECTION_6:
ImagePath: '"C:\Program Files\Common Files\Zoom\Support\CptService.exe*'
condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3 and SELECTION_4) and not
((SELECTION_5 and SELECTION_6)))
falsepositives:
- Unknown
id: 5e993621-67d4-488a-b9ae-b420d08b96cb
level: medium
logsource:
product: windows
service: system
modified: 2022/10/12
status: experimental
tags:
- attack.persistence
- attack.privilege_escalation
- car.2013-09-005
- attack.t1543.003
Since this rule's *\\\\127.0.0.1*
part does not work correctly, the following med
level 1
log is not detected
< 2021-12-13 21:55:45.250 +09:00,rootdc1.offsec.lan,Sys,Service Control Manager,7045,med,Persis ¦ PrivEsc,T1543.003,car.2013-09-005,1467331,Service Installation in Suspicious Folder,pH-T,2022/03/18,2022/10/12,experimental,Svc: BTOBTO ¦ Path: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat ¦ Acct: LocalSystem ¦ StartType: demand start,win_system_susp_service_installation_folder.yml,C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\TA0003-Persistence\T1543.003-Create or Modify System Process-Windows Service\ID7045-4697-SMBexec service registration.evtx,AccountName: LocalSystem ¦ ImagePath: %COMSPEC% /Q /c echo cd ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat ¦ ServiceName: BTOBTO ¦ ServiceType: user mode service ¦ StartType: demand start
title: Hermetic Wiper TG Process Patterns
ruletype: Sigma
author: Florian Roth
date: 2022/02/25
description: Detects process execution patterns found in intrusions related to the
Hermetic Wiper malware attacks against Ukraine in February 2022
detection:
SELECTION_1:
EventID: 1
SELECTION_2:
Channel: Microsoft-Windows-Sysmon/Operational
SELECTION_3:
Image: '*\policydefinitions\postgresql.exe'
SELECTION_4:
CommandLine:
- '*CSIDL_SYSTEM_DRIVE\temp\sys.tmp*'
- '* 1> \\\\127.0.0.1\ADMIN$\__16*'
SELECTION_5:
CommandLine: '*powershell -c *'
SELECTION_6:
CommandLine: '*\comsvcs.dll MiniDump *'
SELECTION_7:
CommandLine: '*\winupd.log full*'
condition: ((SELECTION_1 and SELECTION_2) and (SELECTION_3 or SELECTION_4 or (SELECTION_5
and SELECTION_6 and SELECTION_7)))
falsepositives:
- Unknown
id: 2f974656-6d83-4059-bbdf-68ac5403422f
level: high
logsource:
category: process_creation
product: windows
modified: 2022/09/09
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
status: experimental
tags:
- attack.execution
- attack.lateral_movement
- attack.t1021.001
Since this rule's *1> \\\\127.0.0.1\ADMIN$\__16*
part does not work correctly, the following high
level 4
log was not detected
< 2021-04-22 20:32:03.468 +09:00,fs03vuln.offsec.lan,Sec,Microsoft-Windows-Security-Auditing,4688,high,Exec ¦ LatMov,T1021.001,,436755,Hermetic Wiper TG Process Patterns,Florian Roth,2022/02/25,2022/09/09,experimental,CmdLine: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 ¦ Path: C:\Windows\System32\cmd.exe ¦ PID: 0x168 ¦ User: FS03VULN$ ¦ LID: 0x3e4,proc_creation_win_mal_hermetic_wiper_activity.yml,C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\TA0002-Execution\T1047-Windows Management Instrumentation\ID4688-5145-WMIexec execution via SMB.evtx,CommandLine: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 ¦ NewProcessId: 0x168 ¦ NewProcessName: C:\Windows\System32\cmd.exe ¦ ProcessId: 0x5fc ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x3e4 ¦ SubjectUserName: FS03VULN$ ¦ SubjectUserSid: S-1-5-20 ¦ TokenElevationType: %%1936
< 2021-04-22 20:32:03.530 +09:00,fs03vuln.offsec.lan,Sec,Microsoft-Windows-Security-Auditing,4688,high,Exec ¦ LatMov,T1021.001,,436767,Hermetic Wiper TG Process Patterns,Florian Roth,2022/02/25,2022/09/09,experimental,CmdLine: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 ¦ Path: C:\Windows\System32\cmd.exe ¦ PID: 0x980 ¦ User: FS03VULN$ ¦ LID: 0x3e4,proc_creation_win_mal_hermetic_wiper_activity.yml,C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\TA0002-Execution\T1047-Windows Management Instrumentation\ID4688-5145-WMIexec execution via SMB.evtx,CommandLine: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619090610.0007844 2>&1 ¦ NewProcessId: 0x980 ¦ NewProcessName: C:\Windows\System32\cmd.exe ¦ ProcessId: 0x5fc ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x3e4 ¦ SubjectUserName: FS03VULN$ ¦ SubjectUserSid: S-1-5-20 ¦ TokenElevationType: %%1936
< 2021-04-26 17:25:37.258 +09:00,srvdefender01.offsec.lan,Sec,Microsoft-Windows-Security-Auditing,4688,high,Exec ¦ LatMov,T1021.001,,463010,Hermetic Wiper TG Process Patterns,Florian Roth,2022/02/25,2022/09/09,experimental,CmdLine: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 ¦ Path: C:\Windows\System32\cmd.exe ¦ PID: 0xd44 ¦ User: SRVDEFENDER01$ ¦ LID: 0x3e4,proc_creation_win_mal_hermetic_wiper_activity.yml,"C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\EVTX_full_APT_attack_steps\ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx",CommandLine: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 ¦ MandatoryLabel: S-1-16-12288 ¦ NewProcessId: 0xd44 ¦ NewProcessName: C:\Windows\System32\cmd.exe ¦ ParentProcessName: C:\Windows\System32\wbem\WmiPrvSE.exe ¦ ProcessId: 0xac8 ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x3e4 ¦ SubjectUserName: SRVDEFENDER01$ ¦ SubjectUserSid: S-1-5-20 ¦ TargetDomainName: OFFSEC ¦ TargetLogonId: 0x4da32af ¦ TargetUserName: admmig ¦ TargetUserSid: S-1-0-0 ¦ TokenElevationType: %%1936
< 2021-04-26 17:25:38.435 +09:00,srvdefender01.offsec.lan,Sec,Microsoft-Windows-Security-Auditing,4688,high,Exec ¦ LatMov,T1021.001,,463048,Hermetic Wiper TG Process Patterns,Florian Roth,2022/02/25,2022/09/09,experimental,CmdLine: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 ¦ Path: C:\Windows\System32\cmd.exe ¦ PID: 0x1b98 ¦ User: SRVDEFENDER01$ ¦ LID: 0x3e4,proc_creation_win_mal_hermetic_wiper_activity.yml,"C:\tmp\hayabusa-sample-evtx\EVTX-to-MITRE-Attack\EVTX_full_APT_attack_steps\ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx",CommandLine: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1619425227.894209 2>&1 ¦ MandatoryLabel: S-1-16-12288 ¦ NewProcessId: 0x1b98 ¦ NewProcessName: C:\Windows\System32\cmd.exe ¦ ParentProcessName: C:\Windows\System32\wbem\WmiPrvSE.exe ¦ ProcessId: 0xac8 ¦ SubjectDomainName: OFFSEC ¦ SubjectLogonId: 0x3e4 ¦ SubjectUserName: SRVDEFENDER01$ ¦ SubjectUserSid: S-1-5-20 ¦ TargetDomainName: OFFSEC ¦ TargetLogonId: 0x4da32af ¦ TargetUserName: admmig ¦ TargetUserSid: S-1-0-0 ¦ TokenElevationType: %%1936
This line generates an escaped backslash string. https://github.com/Yamato-Security/hayabusa/blob/v2.1.0/src/detections/rule/matchers.rs#L525 Then this string is used when compiling the regular expression, this seems to be the cause.
It seems to be the same situation as the repro code below.
use regex::Regex;
fn main() {
// Actual behavior
let s = regex::escape(r"\\\\127.0.0.1"); // s is \\\\\\\\127.0.0.1
let r = Regex::new(&s).unwrap();
assert!(!r.is_match(r"\\127.0.0.1")); // false
// Expected behavior
let s = r"\\\\127.0.0.1";
let r = Regex::new(&s).unwrap();
assert!(r.is_match(r"\\127.0.0.1")); // true
}
Describe the bug The following rule with
4 backslashes
is not detected correctly 🤔Step to Reproduce
hayabusa.exe csv-timeline -d .\hayabusa-sample-evtx -o out.csv
Expected behavior A log containing
2 backslashes
is detected by the above three rules.Environment
Additional context In a test with other performance branches, I found that the following logs in the
hayabusa-sample-evtx
repository were not detected.I've fixed this issue in the performance improvement branch, so I'm creating a separate PR.