From 01b5500e2ed425618626889706ed515834a6dd08 Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Thu, 1 Feb 2024 13:36:08 +0800 Subject: [PATCH 01/24] CISA Added Known Exploited Vulnerabilities to Catalog - 20240201001 (#495) * CISA Releases Six Industrial Control Systems Advisories * Format markdown files * CISA Releases Critical Infrastructure Related Advisories - 20240131001 * Format markdown files * CISA Added Known Exploited Vulnerabilities to Catalog - 20240201001 * Format markdown files --------- Co-authored-by: GitHub Actions Co-authored-by: Joshua Hitchen (DGov) <86041569+DGovEnterprise@users.noreply.github.com> --- ...wn-Exploited-Vulnerabilities-to-Catalog.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 docs/advisories/20240201001-CISA-Added-Known-Exploited-Vulnerabilities-to-Catalog.md diff --git a/docs/advisories/20240201001-CISA-Added-Known-Exploited-Vulnerabilities-to-Catalog.md b/docs/advisories/20240201001-CISA-Added-Known-Exploited-Vulnerabilities-to-Catalog.md new file mode 100644 index 00000000..8f4acd64 --- /dev/null +++ b/docs/advisories/20240201001-CISA-Added-Known-Exploited-Vulnerabilities-to-Catalog.md @@ -0,0 +1,25 @@ +# CISA Added Known Exploited Vulnerabilities to Catalog - 20240201001 + +## Overview + +CISA has added new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog "Known Exploited Vulnerabilities Catalog"), based on evidence of active exploitation. + +## What is vulnerable? + +| Product(s) Affected | CVE | Severity | CVSS | +| ------------------------------------------------------------- | ----------------------------------------------------------------- | -------- | ---- | +| Apple Multiple Products Improper Authentication Vulnerability | [CVE-2022-48618](https://nvd.nist.gov/vuln/detail/CVE-2022-48618) | **High** | 7.8 | +| Ivanti Connect Secure, Policy Secure, and Neurons Server-Side | [CVE-2024-21893](https://nvd.nist.gov/vuln/detail/CVE-2024-21893) | **High** | 8.2 | + +## What has been observed? + +CISA added these vulnerabilties in their [Known Exploited Vulnerabilties](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog on *2024-01-31*. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +### Additional Resources + +- [CISA Adds One Known Exploited Vulnerability to Catalog- Apple](https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-adds-one-known-exploited-vulnerability-catalog) +- [CISA Adds One Known Exploited Vulnerability to Catalog - Ivanti](https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-adds-one-known-exploited-vulnerability-catalog-0) From 9184086da5e2ae01696bd4f178d32873f8a1dc38 Mon Sep 17 00:00:00 2001 From: CharlesRN <125233614+CharlesRN@users.noreply.github.com> Date: Fri, 2 Feb 2024 13:37:31 +0800 Subject: [PATCH 02/24] Microsoft Edge Security Updates - 20240202003 (#496) * Ivanti_advisory * Format markdown files * Update 20240131002-Mitigation-Defend-Agaist-Exploitation-of-Ivanti.md Change CVE to NIST links * Microsoft Edge Security Update * Format markdown files --------- Co-authored-by: GitHub Actions Co-authored-by: Joshua Hitchen (DGov) <86041569+DGovEnterprise@users.noreply.github.com> --- ...on-Defend-Agaist-Exploitation-of-Ivanti.md | 26 +++++++++++++++++++ ...40202003-Microsoft-Edge-Security-Update.md | 23 ++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 docs/advisories/20240131002-Mitigation-Defend-Agaist-Exploitation-of-Ivanti.md create mode 100644 docs/advisories/20240202003-Microsoft-Edge-Security-Update.md diff --git a/docs/advisories/20240131002-Mitigation-Defend-Agaist-Exploitation-of-Ivanti.md b/docs/advisories/20240131002-Mitigation-Defend-Agaist-Exploitation-of-Ivanti.md new file mode 100644 index 00000000..d89cade6 --- /dev/null +++ b/docs/advisories/20240131002-Mitigation-Defend-Agaist-Exploitation-of-Ivanti.md @@ -0,0 +1,26 @@ +# New Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways - 20240131002 + +## Overview + +CISA has released new mitigations to defend against threat actors exploiting Ivanti Connect Secure and Policy Secure Gateways vulnerabilities in Ivanti devices ([CVE-2023-46805](https://nvd.nist.gov/vuln/detail/CVE-2023-46805) and [CVE-2024-21887](https://nvd.nist.gov/vuln/detail/CVE-2024-21887)). + +## What is vulnerable? + +| Product(s) Affected | Summary | Severity | CVSS | +| ------------------- | ------- | -------- | ---- | +| **ICS 9.1R18** | | **High** | 8.2 | +| **ICS 22.6R2** | | **High** | 8.2 | +| **IPS 9.1R18** | | **High** | 8.2 | +| **IPS 22.6R2** | | **High** | 8.2 | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): + +## Additional References + +- [NVD - CVE-2023-46805 (nist.gov)](https://nvd.nist.gov/vuln/detail/CVE-2023-46805) diff --git a/docs/advisories/20240202003-Microsoft-Edge-Security-Update.md b/docs/advisories/20240202003-Microsoft-Edge-Security-Update.md new file mode 100644 index 00000000..2839f761 --- /dev/null +++ b/docs/advisories/20240202003-Microsoft-Edge-Security-Update.md @@ -0,0 +1,23 @@ +# Microsoft Edge Security Updates - 20240202003 + +## Overview + +Microsoft has released security updates to address vulnerabilities in Microsoft Edge (Chromium-based)remote code execution [CVE-2024-21399](https://www.cve.org/CVERecord?id=CVE-2024-21399). Threat actor could exploit one of these vulnerabilities to obtain sensitive information. + +## What is vulnerable? + +| Product(s) Affected | Summary | Severity | CVSS | +| -------------------------------- | ------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Microsoft Edge 121.0.2277.98** | | **High** | [8.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2024-21399&vector=AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H&version=3.1&source=Microsoft%20Corporation) | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): + +## Additional References + +- [Microsoft Security Updates](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21399) From 8f6b3f95acf492bd4ba3ac0efcbda924a2343019 Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Fri, 2 Feb 2024 13:39:47 +0800 Subject: [PATCH 03/24] table fix --- .../20240202003-Microsoft-Edge-Security-Update.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240202003-Microsoft-Edge-Security-Update.md b/docs/advisories/20240202003-Microsoft-Edge-Security-Update.md index 2839f761..9d6dd6f4 100644 --- a/docs/advisories/20240202003-Microsoft-Edge-Security-Update.md +++ b/docs/advisories/20240202003-Microsoft-Edge-Security-Update.md @@ -6,9 +6,9 @@ Microsoft has released security updates to address vulnerabilities in Microsoft ## What is vulnerable? -| Product(s) Affected | Summary | Severity | CVSS | -| -------------------------------- | ------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Microsoft Edge 121.0.2277.98** | | **High** | [8.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2024-21399&vector=AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H&version=3.1&source=Microsoft%20Corporation) | +| Product(s) Affected | Severity | CVSS | +| -------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Microsoft Edge 121.0.2277.98** | **High** | [8.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2024-21399&vector=AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H&version=3.1&source=Microsoft%20Corporation) | ## What has been observed? From 5a8161c2a9c634b3d685292cc05c6fb16dfa077a Mon Sep 17 00:00:00 2001 From: TWangmo <125948963+TWangmo@users.noreply.github.com> Date: Fri, 2 Feb 2024 14:13:17 +0800 Subject: [PATCH 04/24] 20240202001-CISA-Known-Exploited-Vulnerabilities (#498) --- ...01-CISA-Known-Exploited-Vulnerabilities.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 docs/advisories/20240202001-CISA-Known-Exploited-Vulnerabilities.md diff --git a/docs/advisories/20240202001-CISA-Known-Exploited-Vulnerabilities.md b/docs/advisories/20240202001-CISA-Known-Exploited-Vulnerabilities.md new file mode 100644 index 00000000..83e88441 --- /dev/null +++ b/docs/advisories/20240202001-CISA-Known-Exploited-Vulnerabilities.md @@ -0,0 +1,28 @@ +# CISA Known Exploited Catalog - 20240202001 + +## Overview +Apple have released a critical security advisory relating to Type Confusion Vulnerability impacting multiple apple products. + +## What is vulnerable? + +| Product(s) Affected | CVE | Severity | CVSS | +| ---------------------- | -------------------------------------------------------------------------------|---------------------------------- | ---- | +| Apple macOS **Versions** before 14.3, 13.6, 12.7| [CVE-2024-23222](https://nvd.nist.gov/vuln/detail/CVE-2024-23222) | **High** | 8.8 | +|Apple iOS and iPadOS **Versions** before 17.3 and 16.7 +|Apple tvOS **Versions** before 17.3 | +|Apple safari **Versions** before 17.3 | + + +## What has been observed? + +CISA added this vulnerability in their [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog. There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 Hours* (refer [Patch Management](../guidelines/patch-management.md)): + +- [NIST CVE-2024-23222](https://nvd.nist.gov/vuln/detail/CVE-2024-23222) + +### Additional Resources + +-[CISA Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) From 5fda1b255d305c6f9a8f39f5bb981bd3e8ab62d2 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Fri, 2 Feb 2024 06:14:13 +0000 Subject: [PATCH 05/24] Format markdown files --- ...0202001-CISA-Known-Exploited-Vulnerabilities.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/advisories/20240202001-CISA-Known-Exploited-Vulnerabilities.md b/docs/advisories/20240202001-CISA-Known-Exploited-Vulnerabilities.md index 83e88441..a1a61467 100644 --- a/docs/advisories/20240202001-CISA-Known-Exploited-Vulnerabilities.md +++ b/docs/advisories/20240202001-CISA-Known-Exploited-Vulnerabilities.md @@ -1,17 +1,17 @@ # CISA Known Exploited Catalog - 20240202001 ## Overview + Apple have released a critical security advisory relating to Type Confusion Vulnerability impacting multiple apple products. ## What is vulnerable? -| Product(s) Affected | CVE | Severity | CVSS | -| ---------------------- | -------------------------------------------------------------------------------|---------------------------------- | ---- | -| Apple macOS **Versions** before 14.3, 13.6, 12.7| [CVE-2024-23222](https://nvd.nist.gov/vuln/detail/CVE-2024-23222) | **High** | 8.8 | -|Apple iOS and iPadOS **Versions** before 17.3 and 16.7 -|Apple tvOS **Versions** before 17.3 | -|Apple safari **Versions** before 17.3 | - +| Product(s) Affected | CVE | Severity | CVSS | +| ------------------------------------------------------ | ----------------------------------------------------------------- | -------- | ---- | +| Apple macOS **Versions** before 14.3, 13.6, 12.7 | [CVE-2024-23222](https://nvd.nist.gov/vuln/detail/CVE-2024-23222) | **High** | 8.8 | +| Apple iOS and iPadOS **Versions** before 17.3 and 16.7 | | | | +| Apple tvOS **Versions** before 17.3 | | | | +| Apple safari **Versions** before 17.3 | | | | ## What has been observed? From b2e1da88cfb13ecde79169a065a76649638f318d Mon Sep 17 00:00:00 2001 From: mahmadhabib076 <125419051+mahmadhabib076@users.noreply.github.com> Date: Fri, 2 Feb 2024 14:17:29 +0800 Subject: [PATCH 06/24] Updated ADSes and TTP guidelines (#497) * Deleted old ADSes * Updated ADS and TTP Guidelines * Format markdown files * Format markdown files --------- Co-authored-by: GitHub Actions Co-authored-by: Joshua Hitchen (DGov) <86041569+DGovEnterprise@users.noreply.github.com> --- .../ADS_forms/S0154-CobaltStrike-DNS.md | 6 +- .../S0357-Impacket-SecretdumpSMB2.md | 2 +- .../ADS_forms/S0552-AdFindExecution.md | 61 ------------------- .../ADS_forms/S0650-Qakbot-PostCompromise.md | 39 ------------ ...et-APT-Scheduled-Task-Creation-Registry.md | 46 ++++++++++++++ ...1059.007-GootLoader-JavaScriptExecution.md | 42 ------------- .../T1505.003-LinuxWebshellIndicators.md | 50 --------------- ...5.003-SuspiciousChildProcessOfSQLServer.md | 6 +- ...3.003-NewServiceCreationUsingPowerShell.md | 42 ------------- .../T1547.001-PersistenceViaRunKeys.md | 42 ------------- .../ADS_forms/T1558.003-Kerberoasting.md | 43 ------------- ...rDefenses-DefenderDisablingOrExclusions.md | 39 ------------ ...pairDefenses-DisableDefenderRegistryKey.md | 55 ----------------- ....001-ImpairDefenses-PowershellDowngrade.md | 38 ------------ ...01-PcAppStore-PotentialMalwareInstalled.md | 46 -------------- .../TTP_Hunt/ttp-detection-guidelines.md | 15 +---- 16 files changed, 55 insertions(+), 517 deletions(-) delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/S0552-AdFindExecution.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-PostCompromise.md create mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1053.005-Diamond-Sleet-APT-Scheduled-Task-Creation-Registry.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1059.007-GootLoader-JavaScriptExecution.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-LinuxWebshellIndicators.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-NewServiceCreationUsingPowerShell.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1547.001-PersistenceViaRunKeys.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1558.003-Kerberoasting.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-DefenderDisablingOrExclusions.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-DisableDefenderRegistryKey.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-PowershellDowngrade.md delete mode 100644 docs/guidelines/TTP_Hunt/ADS_forms/TA0001-PcAppStore-PotentialMalwareInstalled.md diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md index 56100c10..be896b04 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md @@ -9,7 +9,7 @@ The query tries to detect suspicious DNS queries known from Cobalt Strike beacon > aaa.stage.\[encryptedstage\].MaliciousDomain.com,\ > baa.stage.\[encryptedstage\].MaliciousDomain.com,\ -> caa.stage.\[encryptedstage\].MaliciousDomain.com\ +> caa.stage.\[encryptedstage\].MaliciousDomain.com, > post.\[EncryptedData\].\[RandomValue\].MaliciousDomain.com **Related**\ @@ -42,8 +42,6 @@ let badNames = dynamic(["aaa.stage","baa.stage","caa.stage", "post.1"]); | where DNSName has_any (badNames) | extend Domain = DNSName, RemoteIP = RemoteIp )) -| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer -| extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP ``` #### Triage @@ -53,4 +51,4 @@ let badNames = dynamic(["aaa.stage","baa.stage","caa.stage", "post.1"]); #### VERSION -Version 1.0 (date: 10/07/2023) +Version 2.0 (date: 19/12/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md index 889ca927..6808e263 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md @@ -25,7 +25,7 @@ Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Comman #### SENTINEL RULE QUERY -```kusto +``` (union isfuzzy=true (SecurityEvent | where EventID == '5145' diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0552-AdFindExecution.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0552-AdFindExecution.md deleted file mode 100644 index 41b3f076..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0552-AdFindExecution.md +++ /dev/null @@ -1,61 +0,0 @@ -### S0552 - AdFind Execution - -#### DESCRIPTION - -Detects the use of Adfind. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. - -**Example:** - -> adfind.exe -f "(objectcategory=person)" > ad_users.txt -> -> objectcategory=person – Finds all person objects\ -> objectcategory=computer – Finds all computers in domain\ -> trustdmp – Dumps trust objects.\ -> objectcategory=subnet – Finds all subnets\ -> domainlist – Dumps all Domain NCs in forest in sorted DNS list format\ -> dcmodes – Shows modes of all DCs in forest from config\ -> adinfo – Shows Active Directory Info with whoami info.\ -> dclist – Dumps Domain Controllers FQDNs.\ -> computers_pwdnotreqd – Dumps users set with password not required. - -**Related**\ -Common tool - -**Reference:**\ -https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml%5C -https://thedfirreport.com/2020/05/08/adfind-recon/%5C -https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ - -#### ATT&CK TACTICS - -{{mitre("S0552")}} - -``` -- attack.discovery -- attack.t1018 -- attack.t1087.002 -- attack.t1482 -- attack.t1069.002 -``` - -Data Source(s): [Command](https://attack.mitre.org/datasources/DS0017/) - -#### SENTINEL RULE QUERY - -``` -let c1 = dynamic(['domainlist', 'trustdmp', 'dcmodes', 'adinfo', ' dclist ', 'computer_pwdnotreqd', 'objectcategory=', '-subnets -f', 'name="Domain Admins"', '-sc u:', 'domainncs', 'dompol', ' oudmp ', 'subnetdmp', 'gpodmp', 'fspdmp', 'users_noexpire', 'computers_active', 'computers_pwdnotreqd']); -find where FileName =~ "AdFind.exe" or ProcessVersionInfoOriginalFileName =~ "AdFind.exe" or InitiatingProcessFileName =~ "AdFind.exe" or InitiatingProcessVersionInfoOriginalFileName =~ "AdFind.exe" or Process =~ "AdFind.exe" or ProcessCommandLine has_any (c1) -``` - -#### Triage - -1. Check if AdFind is renamed and if any of the C1 commandlets are used in the command line -1. Inspect if the activity is expected and approved. - -#### FalsePositive - -1. Legitimate administrative activity. - -#### VERSION - -Version 1.1 (date: 10/07/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-PostCompromise.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-PostCompromise.md deleted file mode 100644 index 4bd1132a..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-PostCompromise.md +++ /dev/null @@ -1,39 +0,0 @@ -### S0650 - Qakbot: Post compromise commands - -#### DESCRIPTION - -Detect when multiple Qakbot post compromise commands have been executed - -**example:** - -> Automated reconnaissance commands:\ -> nslookup -querytype=ALL -timeout=12 \_ldap.\_tcp.dc.\_msdcs.\ - -**Related**\ -Malware - -**Reference**\ -https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/22cf7b2e0ef909e3f8ba1b39e2a8e897b6f49fb5/Defender%20For%20Endpoint/QakbotPostCompromiseCommandsExecuted.md?plain=1%5C -https://github.com/Azure/Azure-Sentinel/blob/2030f55a46b18e9d9723b06557d0653f38e21724/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/Qakbot/Qakbot%20reconnaissance%20activities.yaml#L2%5C -https://www.trendmicro.com/en_au/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html - -#### ATT&CK TACTICS - -{{mitre("S0650")}} - -Data source - Command - -#### SENTINEL RULE QUERY - -``` -let c1 = dynamic(['net view', 'cmd /c set', 'nslookup-querytype=ALL -timeout=12', '_ldap._tcp.dc._msdcs.WORKGROUP', 'net share', 'net1 share', 'route print', 'net localgroup', 'whoami /all']); -find where InitiatingProcessCommandLine in (c1) or ProcessCommandLine in (c1) or CommandLine in (c1) -``` - -#### Triage - -1. Inspect other commands to confirm reconnaissance and beaconing activities - -#### Version - -Version 1.0 (date 5/7/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1053.005-Diamond-Sleet-APT-Scheduled-Task-Creation-Registry.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1053.005-Diamond-Sleet-APT-Scheduled-Task-Creation-Registry.md new file mode 100644 index 00000000..e6ce7003 --- /dev/null +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1053.005-Diamond-Sleet-APT-Scheduled-Task-Creation-Registry.md @@ -0,0 +1,46 @@ +### T1053.005 - Diamond Sleet APT Scheduled Task Creation - Registry + +#### DESCRIPTION + +Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability + +**Example:** + +> Forest64.exe create a scheduled task named 'Windows TeamCity Settings User Interface' + +**Related**
+ +- Ransomware +- Diamond Sleet APT + +**Reference:**\ +https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ + +#### ATT&CK TACTICS + +{{ mitre("T1562")}}
+{{ mitre("T1053.005")}} + +Data Source(s): [Windows Registry](https://attack.mitre.org/datasources/DS0024/) + +#### SENTINEL RULE QUERY + +``` +let selection = dynamic([@'\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\','Windows TeamCity Settings User Interface']); +DeviceRegistryEvents +| where ActionType == "RegistryKeyCreated" +| where RegistryKey has_all (selection) +``` + +#### Triage + +1. Verify the parent process creating the registry key +1. Determine whether the behavior is normal in agency's environment + +#### FalsePositive + +Unknown, highly specific detection + +#### VERSION + +Version 1.0 (date: 19/12/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1059.007-GootLoader-JavaScriptExecution.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1059.007-GootLoader-JavaScriptExecution.md deleted file mode 100644 index 96f0a9c6..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1059.007-GootLoader-JavaScriptExecution.md +++ /dev/null @@ -1,42 +0,0 @@ -### T1059.007 - GootLoader: JavaScript Execution - -#### DESCRIPTION - -Detects when a JScript file extracted from a ZIP file and executed via wscript.exe that could potentially be a Gootloader malware execution. The victim executes the Trojanized copy of jQuery from the ZIP file, thinking it’s a legitimate document they have downloaded. - -**Example:** - -> "WScript.exe" "C:\\Users\\\AppData\\Local\\Temp\\Water corporation enterprise agreement 2018 wa (79577).zip\\main_script.js" - -**Related**\ -Malware - -**Reference**\ -https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations%5C -https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/%5C -https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/%5C -https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader - -#### ATT&CK TACTICS - -{{ mitre("T1059.007")}} - -Data source - Command - -#### SENTINEL RULE QUERY - -``` -let c1= dynamic(['.zip','.js']); -find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or -CommandLine has_all (c1) -``` - -#### Triage - -1. Check the legitimacy of the zip file (name, origin) -1. Inspect the Remote url -1. Check JScript file hash on VT - -#### Version - -Version 1.0 (date 5/7/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-LinuxWebshellIndicators.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-LinuxWebshellIndicators.md deleted file mode 100644 index 28ec45d7..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-LinuxWebshellIndicators.md +++ /dev/null @@ -1,50 +0,0 @@ -### T1505.003 - Linux Webshell Indicators - -#### DESCRIPTION - -Detects suspicious linux sub processes of web server processes. - -**Reference:** - - - - - - - -**Related**\ -common persistence - Linux - -#### ATT&CK TACTICS - -{{mitre(T1505)}} - -Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/) - -#### SENTINEL RULE QUERY - -``` -let selection_general = @".*(/httpd|/lighttpd|/nginx|/apache2|/node|/caddy)$"; -let selection_tomcat = dynamic(['/bin/java','tomcat']); -let selection_websphere = dynamic(['/bin/java','websphere']); -let sub_processes= @"/(whoami|ifconfig|ip|bin/uname|bin/cat|bin/crontab|hostname|iptables|netstat|pwd|route)$"; -DeviceProcessEvents -| where InitiatingProcessFolderPath matches regex selection_general or InitiatingProcessCommandLine has_all (selection_tomcat) or InitiatingProcessCommandLine has_all (selection_websphere) -| where FolderPath matches regex sub_processes -//| summarize count(), earliest_time=min(TimeGenerated), set_DeviceName=make_set(DeviceName) by TenantId, InitiatingProcessFolderPath,InitiatingProcessCommandLine, FolderPath, ProcessCommandLine, SHA256 -``` - -#### Triage - -1. Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates. -1. Examine the sub processes (under FolderPath) and the command-line whether the activity is suspicious -1. Check for additional suspicious sub processes detected from the same hosts -1. Verify if the location of the parent process and the process is expected - -#### FalsePositive - -1. Web applications that invoke Linux command line tools - -#### VERSION - -Version 1.1 (date: 08/11/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-SuspiciousChildProcessOfSQLServer.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-SuspiciousChildProcessOfSQLServer.md index 6f242d16..cc6b761f 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-SuspiciousChildProcessOfSQLServer.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1505.003-SuspiciousChildProcessOfSQLServer.md @@ -28,8 +28,10 @@ DeviceProcessEvents | where InitiatingProcessFolderPath !startswith "C:\\Program Files\\Microsoft SQL Server\\" | where InitiatingProcessFolderPath !endswith "DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe" | where FolderPath !contains 'C:\\Windows\\System32\\cmd.exe' +| where FolderPath !contains "C:\\Windows\\SysWOW64\\cmd.exe" //adding Win32 folder pathways | where ProcessCommandLine !startswith "C:\\Windows\\system32\\cmd.exe" -| where ProcessCommandLine !startswith "C:\\Windows\\SysWOW64\\cmd.exe" +| where ProcessCommandLine !startswith "C:\\Windows\\SysWOW64\\cmd.exe" //adding Win32 folder pathways +//| summarize count() , set_ProcessCommandLine = make_set(ProcessCommandLine) by DeviceName, AccountName, InitiatingProcessFolderPath,InitiatingProcessCommandLine, FolderPath, TenantId ``` #### Triage @@ -43,4 +45,4 @@ Backup process of database #### VERSION -Version 1.0 (date: 21/09/2023) +Version 1.2 (date: 29/01/2024) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-NewServiceCreationUsingPowerShell.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-NewServiceCreationUsingPowerShell.md deleted file mode 100644 index 4436254a..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1543.003-NewServiceCreationUsingPowerShell.md +++ /dev/null @@ -1,42 +0,0 @@ -### T1543.003 - New Service Creation Using PowerShell - -#### DESCRIPTION - -Detects the creation of a new service using powershell - -**Example:** - -> New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" - -**Reference:**\ -https://github.com/SigmaHQ/sigma/blob/8dc32d6dffe89f014912dea9719e6a95577a6725/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml#L9 -https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-3---service-installation-powershell - -**Related** - -#### ATT&CK TACTICS
- -{{mitre("T1543.003")}} - -Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/) - -#### SENTINEL RULE QUERY
- -``` -DeviceProcessEvents -| where ProcessCommandLine has_all ('New-Service','-BinaryPathName') -``` - -#### Triage - -1. Evaluate the name of the service installed, as well as the folder location -1. Verify with user executing the commandline. - -### False Positives - -1. Legitimate administrator or user creates a service for legitimate reasons. -1. Software installation - -#### VERSION - -Version 1.0 (date: 26/10/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1547.001-PersistenceViaRunKeys.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1547.001-PersistenceViaRunKeys.md deleted file mode 100644 index 7e327e92..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1547.001-PersistenceViaRunKeys.md +++ /dev/null @@ -1,42 +0,0 @@ -### T1547.001 - Potential Persistence Attempt Via Run Keys Using Reg.EXE - -#### DESCRIPTION - -Detects suspicious command line reg.exe tool adding key to RUN key in Registry - -**example:**\ -NA - -**Related**\ -common persistance - -**Reference:**\ -https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml#L22%5C -https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys - -#### ATT&CK TACTICS - -{{ mitre("T1547.001")}} - -Data Source(s): [Command](https://attack.mitre.org/datasources/DS0017/) - -#### SENTINEL RULE QUERY - -``` -let c1= dynamic(['reg',' ADD', @'Software\Microsoft\Windows\CurrentVersion\Run']); -find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) -``` - -#### Triage - -1. Inspect if the software is approved - -#### FalsePositive - -- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. -- Legitimate administrator sets up autorun keys for legitimate reasons. -- Discord - -#### VERSION - -Version 1.0 (date: 10/07/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1558.003-Kerberoasting.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1558.003-Kerberoasting.md deleted file mode 100644 index d11c10fc..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1558.003-Kerberoasting.md +++ /dev/null @@ -1,43 +0,0 @@ -### T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting - -#### DESCRIPTION - -Detects service ticket requests using RC4 encryption type - -**example:**\ -N/A - -**Related**\ -N/A - -**Reference:**\ -https://github.com/SigmaHQ/sigma/blob/0bd067ce9b767737155e3fb6c45a330d943d4820/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml#L13%5C -https://adsecurity.org/?p=3458%5C -https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity - -#### ATT&CK TACTICS
- -{{ mitre("T1558.003")}} - -Data Source(s): [Security Events](https://attack.mitre.org/datasources/DS0026/) - -#### SENTINEL RULE QUERY
- -``` -SecurityEvent - | where EventID == 4769 - | parse EventData with * 'ServiceName">' ServiceName "<" * - | where ServiceName contains "pick" -``` - -#### Triage - -1. Inspect if the activity is expected and approved. - -#### FalsePositive - -Unknown - -#### VERSION - -Version 1.0 (date: 10/07/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-DefenderDisablingOrExclusions.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-DefenderDisablingOrExclusions.md deleted file mode 100644 index 38628b0e..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-DefenderDisablingOrExclusions.md +++ /dev/null @@ -1,39 +0,0 @@ -### T1562.001 - Impair Defenses: Disable or Modify Tools - Defender Disabling or Exclusions - -#### DESCRIPTION - -This query detects attempts to disable defender or it detects attempts to add exclusions. - -**Example:** - -> C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” Set-MpPreference -ExclusionPath ‘C:\\’ - -**Related**\ -Malware, Ransomware - -**Reference:**\ -https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml#L21%5C -https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml#L24 - -#### ATT&CK TACTICS - -{{ mitre("T1562.001")}} - -Data Source(s): [Command](https://attack.mitre.org/datasources/DS001/) - -#### SENTINEL RULE QUERY - -``` -let c1 = dynamic(['Set-MpPreference', 'Add-MpPreference']); - let c2 = dynamic([' -ExclusionPath ', ' -ExclusionExtension ', ' -ExclusionProcess ', ' -ExclusionIpAddress ', 'DisableRealtimeMonitoring ', 'DisableIOAVProtection ', 'DisableBehaviorMonitoring ', 'DisableBlockAtFirstSeen ']); - find where (InitiatingProcessCommandLine has_any (c1) or CommandLine has_any (c1)) and - (InitiatingProcessCommandLine has_any (c2) or CommandLine has_any (c2)) -``` - -#### Triage - -1. Inspect if the activity is expected and approved. It may be performed by an admin or a service - -#### VERSION - -Version 1.0 (date: 10/07/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-DisableDefenderRegistryKey.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-DisableDefenderRegistryKey.md deleted file mode 100644 index d9280db9..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-DisableDefenderRegistryKey.md +++ /dev/null @@ -1,55 +0,0 @@ -### T1562.001 ImpairDefenses - Disable Defender Functionalities Via Registry Keys - -#### DESCRIPTION - -Detects when attackers or tools disable Windows Defender functionalities via the Windows registry - -**Example:** - -> reg add "HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f -> reg add "HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f - -**Related**\ -Ransomware - -**Reference:**\ -https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml#L42 - -#### ATT&CK TACTICS - -{{ mitre("T1562.001")}} - -Data Source(s): [Windows Registry](https://attack.mitre.org/datasources/DS0024) - -#### SENTINEL RULE QUERY - -``` -let selection_main = dynamic([@'\SOFTWARE\Microsoft\Windows Defender\', @'\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\',@'\SOFTWARE\Policies\Microsoft\Windows Defender\']); -let selection_dword_1 = dynamic(['DisableAntiSpyware','DisableAntiVirus', 'DisableBehaviorMonitoring','DisableIntrusionPreventionSystem', 'DisableIOAVProtection', 'DisableOnAccessProtection','DisableRealtimeMonitoring','DisableScanOnRealtimeEnable','DisableScriptScanning','DisableEnhancedNotifications', 'DisableBlockAtFirstSeen']); -let selection_dword_0 = dynamic(['DisallowExploitProtectionOverride', 'TamperProtection', 'MpEnablePus', 'PUAProtection', 'ForceUpdateFromMU', 'SpynetReporting', 'SubmitSamplesConsent','EnableControlledFolderAccess']); -let exclusion_defender= dynamic([@'c:\programdata\microsoft\windows defender',@'c:\program files\windows defender']); //Exclude activities from Microsoft Defender itself -DeviceRegistryEvents -| where ActionType == "RegistryValueSet" -| where RegistryKey has_any (selection_main) -| where (RegistryKey matches regex @"(?i)(\\Real-Time Protection|\\Reporting|\\SpyNet)$" and RegistryValueName has_any (selection_dword_1) and RegistryValueType =~ "Dword" and RegistryValueData == 1 )//DWORD (0x00000001) -or -(RegistryKey matches regex @"(?i)(\\App and Browser protection|\\Features|\\MpEngine|\\Signature Update|\\SpyNet|\\Windows Defender Exploit Guard\\Controlled Folder Access)$" and RegistryValueName has_any(selection_dword_0) and RegistryValueType =~ "Dword" and RegistryValueData == 0 )//DWORD (0x00000000) -| where not(InitiatingProcessFolderPath has_any (exclusion_defender) and InitiatingProcessFileName == "msmpeng.exe") //Exclude activities from Microsoft Defender itself -//| summarize count(), start_TimeStamp =min(TimeGenerated),last_TimeStamp=max(TimeGenerated), set_DeviceName=make_set(DeviceName), DeviceNum=dcount(DeviceName), set_RegistryValueName=make_set(RegistryValueName) by ActionType, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, TenantId -//| project start_TimeStamp, last_TimeStamp, ActionType, InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, set_RegistryValueName, DeviceNum, set_DeviceName, count_, TenantId -``` - -#### Triage - -1. Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates. -1. Inspect the InitiatingProcessFolderPath, InitiatingProcessFileName, and InitiatingProcessCommandLine, and see any suspicious process adding defender exclusion -1. Check why Defender was disabled. - -#### FalsePositive - -1. Legitimate application adding folder exceptions to the registry key -1. Misconfigured group policy disabling defender. - -#### VERSION - -Version 1.2 (date: 08/11/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-PowershellDowngrade.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-PowershellDowngrade.md deleted file mode 100644 index 3e3e2f02..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-ImpairDefenses-PowershellDowngrade.md +++ /dev/null @@ -1,38 +0,0 @@ -### T1562.001 - Impair Defenses: Disable or Modify Tools - PowerShell Downgrade attack - -#### DESCRIPTION - -Detects command execution and arguments associated with disabling or modification of security software processes or services. PowerShell Downgrade attack is a downgrade to an older versions of PowerShell that doesn’t contain security controls such as AMSI protection - -**Example:** - -> PowerShell –Version 2 –Command \<…> - -**Related**\ -N/A - -**Reference:**\ -https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml - -#### ATT&CK TACTICS - -{{ mitre("T1562.001")}} - -Data Source(s): [Command](https://attack.mitre.org/datasources/DS001/) - -#### SENTINEL RULE QUERY - -``` -let c1 = 'powershell.exe'; - let c2 = dynamic(['-version 2', '-v 2']); - find where (InitiatingProcessFileName == c1 and InitiatingProcessCommandLine has_any (c2)) or - (Process == c1 and CommandLine has_any (c2)) -``` - -#### Triage - -1. Inspect if the activity if it is expected and approved performed by an admin or a service - -#### VERSION - -Version 1.0 (date: 10/07/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/TA0001-PcAppStore-PotentialMalwareInstalled.md b/docs/guidelines/TTP_Hunt/ADS_forms/TA0001-PcAppStore-PotentialMalwareInstalled.md deleted file mode 100644 index c5a3c253..00000000 --- a/docs/guidelines/TTP_Hunt/ADS_forms/TA0001-PcAppStore-PotentialMalwareInstalled.md +++ /dev/null @@ -1,46 +0,0 @@ -### TA0001 - PcAppStore - Potential malware installed - -#### DESCRIPTION - -Detects malware files based on Process Company Name as seen downloaded from malware hosting site PCApp\[.\]store - -**Example:** - -> C:\\program files (x86)\\pc app store\\5.0.1.8682\\appstoredesktool.exe\ -> "C:\\Users\\\PCAppStore\\AutoUpdater.exe" /i - -**Related**\ -Advanced malware\ -Agent Tesla\ -GuLoader - -**Reference:**\ -https://www.joesandbox.com/analysis/860071/0/html - -#### ATT&CK TACTICS - -{{ mitre("TA0001")}} - -Data Source(s): [Command](https://attack.mitre.org/datasources/DS0017/) - -#### SENTINEL RULE QUERY - -``` -let c1= dynamic(["pcapp.store"]); -union Device* -| where RemoteUrl has_any (c1) or InitiatingProcessFolderPath contains "pcappstore" -``` - -#### Triage - -1. Inspect hash on VT on detected apps -1. Inspect network traffic for potential C2 communication -1. Check for registry key creation on PcApp or related apps - -#### FalsePositive - -1. pgadmin4.exe has been used across, and has clean hashes although shares same Comapany Name The "NW.js Community" - -#### VERSION - -Version 1.1 (date: 19/10/2023) diff --git a/docs/guidelines/TTP_Hunt/ttp-detection-guidelines.md b/docs/guidelines/TTP_Hunt/ttp-detection-guidelines.md index 3b06de22..f6651472 100644 --- a/docs/guidelines/TTP_Hunt/ttp-detection-guidelines.md +++ b/docs/guidelines/TTP_Hunt/ttp-detection-guidelines.md @@ -21,7 +21,6 @@ This section highlights queries that can be mapped in the MITRE ATT&CK Framework | Technique ID | Title | Data Source | ADS | | ------------ | ------------------- | --------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | | T1190 | Web shells | [Network Traffic](https://attack.mitre.org/datasources/DS0029/) | [Webshells Suspicious URI](./ADS_forms/T1190-WebshellsSuspiciousURI.md) | -| TA0001 | PcAppStore | [Network Traffic](https://attack.mitre.org/datasources/DS0029/) | [PcAppStore - Potential Malware Installed](./ADS_forms/TA0001-PcAppStore-PotentialMalwareInstalled.md) | | T1566 | Phishing | [Application Log](https://attack.mitre.org/datasources/DS0015/) | [QR Code Phishing Attachment (Quishing)](<./ADS_forms/T1566.001-QR-CodePhishingAttachment(Quishing).md>) | | T1189 | Drive-by Compromise | [File](https://attack.mitre.org/datasources/DS0022/) | [Drive-by Compromise - FakeUpdate](./ADS_forms/T1189-Drive-byCompromise-FakeUpdate.md) | @@ -31,42 +30,35 @@ This section highlights queries that can be mapped in the MITRE ATT&CK Framework | ------------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | | T1047 | WMI | [Command](https://attack.mitre.org/datasources/DS0017/), [Process Creation](https://attack.mitre.org/datasources/DS0009/#Process%20Creation) | [WMIC commands](./ADS_forms/T1047-WMICCommands.md) | | T1059 | MicroSCADA SCILC | [Application Log](https://attack.mitre.org/datasources/DS0015/) | [MicroSCADA SCILC - Command Execution](./ADS_forms/T1059-MicroSCADA-SCILC-Command-Execution.md) | -| T1059.007 | GootLoader | [Command](https://attack.mitre.org/datasources/DS0017/) | [GootLoader Execution](./ADS_forms/T1059.007-GootLoader-JavaScriptExecution.md) | ## Persistence | Technique ID | Title | Data Source | ADS | | ------------ | ---------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| T1547.001 | Persistence Via Run Keys | [Command](https://attack.mitre.org/datasources/DS0017/) | [Persistence Via Run Keys](./ADS_forms/T1547.001-PersistenceViaRunKeys.md) | | T1505.003 | Web shells | [Process](https://attack.mitre.org/datasources/DS0009/) | [IIS Webshell File Writes](./ADS_forms/T1505.003-IISWebshellFileWrites.md) | -| T1505.003 | Linux Webshell Indicators | [Process](https://attack.mitre.org/datasources/DS0009/) | [Linux Webshell Indicators](./ADS_forms/T1505.003-LinuxWebshellIndicators.md) | | T1505.003 | Suspicious Windows Strings In URI | [NA](<>) | [Suspicious Windows Strings In URI](./ADS_forms/T1505.003-SuspiciousWindowsStringsInURI.md) | | T1505.003 | Windows Webshell Creation | [File](https://attack.mitre.org/datasources/DS0022/) | [Windows Webshell Creation](./ADS_forms/T1505.003-WindowsWebshellCreation.md) | | T1505.003 | Suspicious Child Process Of SQL Server | [Process Creation](https://attack.mitre.org/datasources/DS0009/#Process%20Creation) | [Suspicious Child Process Of SQL Server](./ADS_forms/T1505.003-SuspiciousChildProcessOfSQLServer.md) | | T1505.004 | Suspicious IIS Module Registration | [NA](<>) | [Suspicious IIS Module Registration](./ADS_forms/T1505.004-Suspicious-IIS-Module-Registration.md) | | T1543.003 | Service Installations in Registry | [registry_set](https://attack.mitre.org/datasources/DS0024/) | [CobaltStrike: Service Installations in Registry](./ADS_forms/T1543.003-CobaltStrike-ServiceInstallationsInRegistry.md) | -| T1543.003 | New Service Creation Using PowerShell | [Process](https://attack.mitre.org/datasources/DS0009/) | [New Service Creation Using PowerShell](./ADS_forms/T1543.003-NewServiceCreationUsingPowerShell.md) | | T1543.003 | Create or Modify System Process | [File](https://attack.mitre.org/datasources/DS0022/), [Windows Registry](https://attack.mitre.org/datasources/DS0024), [Process](https://attack.mitre.org/datasources/DS0009/), [Application Log](https://attack.mitre.org/datasources/DS0015/) | [Create or Modify System Process - Remote Access Tool Services Have Been Installed](./ADS_forms/T1543.003-Create-or-Modify-System-Process-Remote-Access-Tool-Services-Have-Been-Installed.md) | | T1543.003 | Potential Persistence Attempt Via Existing Service Tampering (reg.exe) | [Process](https://attack.mitre.org/datasources/DS0009/) | [Potential Persistence Attempt Via Existing Service Tampering (reg.exe)](<./ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering-(reg.exe).md>) | | T1543.003 | Potential Persistence Attempt Via Existing Service Tampering (sc.exe) | [Process](https://attack.mitre.org/datasources/DS0009/) | [Potential Persistence Attempt Via Existing Service Tampering (sc.exe)](<./ADS_forms/T1543.003-Potential-Persistence-Attempt-Via-Existing-Service-Tampering(sc.exe).md>) | +| T1053.005 | Diamond Sleet APT Scheduled Task Creation - Registry | [Windows Registry](https://attack.mitre.org/datasources/DS0024/) | [Diamond Sleet APT Scheduled Task Creation - Registry](./ADS_forms/T1053.005-Diamond-Sleet-APT-Scheduled-Task-Creation-Registry.md) | ## Defense Evasion | Technique ID | Title | Data Source | ADS | | ------------ | ------------------------------------------------------- | --------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | -| T1562.001 | PowerShell Downgrade attack | [Command](https://attack.mitre.org/datasources/DS0017/) | [ImpairDefenses-Powershell Downgrade](./ADS_forms/T1562.001-ImpairDefenses-PowershellDowngrade.md) | | T1562.001 | AMSI Bypass attack | [Command](https://attack.mitre.org/datasources/DS0017/) | [ImpairDefenses - AMSIBypass Attack](./ADS_forms/T1562.001-ImpairDefenses-AMSIBypass.md) | -| T1562.001 | PowerShell Defender Disabling Or Exclusions | [Command](https://attack.mitre.org/datasources/DS0017/) | [ImpairDefenses - Defender Disabling Or Exclusions](./ADS_forms/T1562.001-ImpairDefenses-DefenderDisablingOrExclusions.md) | -| T1562.001 | Disable Defender via RegistryKey | [Windows Registry](https://attack.mitre.org/datasources/DS0024) | [ImpairDefenses - Disable Defender Registry Key](./ADS_forms/T1562.001-ImpairDefenses-DisableDefenderRegistryKey.md) | | T1562.001 | Impair Defenses: Removal Of AMSI Provider Registry Keys | [Windows Registry](https://attack.mitre.org/datasources/DS0024) | [Impair Defenses: Removal Of AMSI Provider Registry Keys](./ADS_forms/T1562.001-ImpairDefenses-Removal-Of-AMSI-Provider-Registry-Keys.md) | | T1562.002 | Disable Windows Logging MiniNT | [Windows Registry](https://attack.mitre.org/datasources/DS0024) | [ImpairDefenses - Disable Windows Logging Mini NT](./ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingMiniNT.md) | | T1562.002 | Impair Defenses: Disable Windows Logging on EventID | [Active Directory](https://attack.mitre.org/datasources/DS0026) | [ImpairDefenses - Disable Windows Logging on EventID](./ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingonEventID.md) | | T1562.002 | Impair Defenses: Disable Windows Logging using wevtutil | [Process](https://attack.mitre.org/datasources/DS0009/) | [Impair Defenses: Disable Windows Logging using wevtutil](./ADS_forms/T1562.002-ImpairDefenses-DisableWindowsLoggingWevtutil.md) | +| T1027.006 | HTML Smuggling | [NA](<>) | [HTML Smuggling](./ADS_forms/T1027.006-HTMLSmuggling.md) | -| T1027.006 | HTML Smuggling | [NA](<>) | [HTML Smuggling](./ADS_forms/T1027.006-HTMLSmuggling.md)| - ## Credential Access | Technique ID | Title | Data Source | ADS | @@ -77,7 +69,6 @@ This section highlights queries that can be mapped in the MITRE ATT&CK Framework | T1003.006 | OS Credential Dumping | [Command](https://attack.mitre.org/datasources/DS0017/) | [OS Credential Dumping: DCSync](./ADS_forms/T1003.006-OSCredentialDumping-DCSyncAD.md) | | T1552.002 | Unsecured Credentials | [Command](https://attack.mitre.org/datasources/DS001/), [Windows Registry](https://attack.mitre.org/datasources/DS0024) | [REGISTRY Password Dumping](./ADS_forms/T1552.002-REGISTRYPasswordDumping.md) | | T1555 | Credentials from Password Stores | [Command](https://attack.mitre.org/datasources/DS001/) | [Credentials from Password Stores](./ADS_forms/T1555-CredentialsPasswordStores.md) | -| T1558.003 | Steal or Forge Kerberos Tickets | [Security Events](https://attack.mitre.org/datasources/DS0026/) | [Kerberoasting](./ADS_forms/T1558.003-Kerberoasting.md) | | T1557 | AiTM - Phishing logging | [Security Events](https://attack.mitre.org/datasources/DS0026/) | [AiTM - Phishing logging](./ADS_forms/T1557-AiTM-PhishingLogging.md) | ## Discovery @@ -110,8 +101,6 @@ This section highlights queries that can be mapped in the MITRE ATT&CK Framework | S0357 | Impacket | [Command](https://attack.mitre.org/datasources/DS0017/) | [Impacket - SecretDumpSMB2](./ADS_forms/S0357-Impacket-SecretdumpSMB2.md) | | S0154 | Cobalt Strike | [Network Traffic](https://attack.mitre.org/datasources/DS0029) | [CobaltStrike - DNS](./ADS_forms/S0154-CobaltStrike-DNS.md) | | S0154 | Cobalt Strike | [Named Pipe](https://attack.mitre.org/datasources/DS0023) | [CobaltStrike - NamedPipe](./ADS_forms/S0154-CobaltStrike-NamedPipe.md) | -| S0650 | QakBot | [Command](https://attack.mitre.org/datasources/DS0017/) | [Qakbot - Post Compromise](./ADS_forms/S0650-Qakbot-PostCompromise.md) | | S0650 | QakBot | [Command](https://attack.mitre.org/datasources/DS0017/) | [Qakbot - Process Execution](./ADS_forms/S0650-Qakbot-ProcessExecution.md) | | S0650 | QakBot | [Command](https://attack.mitre.org/datasources/DS0017/) | [Qakbot - Defender Exclusions](./ADS_forms/S0650-Qakbot-DefenderExclusions.md) | | S0521 | Bloodhound/Sharphound | [Command](https://attack.mitre.org/datasources/DS0017/) | [Bloodhound/Sharphound - Execution Commandlets](./ADS_forms/S0521-BloodHound-Commandlets.md) | -| S0552 | AdFind | [Command](https://attack.mitre.org/datasources/DS0017/) | [AdFind Execution](./ADS_forms/S0552-AdFindExecution.md) | From 952fd9088c65a24ce230eb48ed3f569fc800f35a Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Fri, 2 Feb 2024 07:11:29 +0000 Subject: [PATCH 07/24] Docker Container Runtime Component Vulnerabilities - 20240202002 --- ...202002-Docker-Container-Vulnerabilities.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 docs/advisories/20240202002-Docker-Container-Vulnerabilities.md diff --git a/docs/advisories/20240202002-Docker-Container-Vulnerabilities.md b/docs/advisories/20240202002-Docker-Container-Vulnerabilities.md new file mode 100644 index 00000000..613cae69 --- /dev/null +++ b/docs/advisories/20240202002-Docker-Container-Vulnerabilities.md @@ -0,0 +1,32 @@ +# Docker Container Runtime Component Vulnerabilities - 20240202002 + +## Overview + +An attacker could use the core container infrastructure components of docker containers to escape the container and gain unauthorized access to the underlying host operating system from within the container. + +## What is vulnerable? + +| Component(s) Affected | CVE | Severity | CVSS | +| ------------------------------------------------------ | ----------------------------------------------------------------- | -------- | ---- | +| OCI runc | [CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | **High** | 8.6 | +| Buildkit Mount | [CVE-2024-23653](https://nvd.nist.gov/vuln/detail/CVE-2024-23651) | **High** | 8.7 | +| Buildkit GRPC SecurityMode | [CVE-2024-23653](https://nvd.nist.gov/vuln/detail/CVE-2024-23653) | **Critical** | 10.0 | +| BuildKit Buildtime | [CVE-2024-23652](https://nvd.nist.gov/vuln/detail/CVE-2024-23652) | **Critical** | 9.8 | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 Hours* (refer [Patch Management](../guidelines/patch-management.md)): + +You will likely need to update your Docker daemons and Kubernetes deployments, as well as any container build tools that you use in CI/CD pipelines, on build servers, and on your developers' workstations + +- [Runc 1.1.12](https://github.com/opencontainers/runc/releases/tag/v1.1.12) - Fix for CVE-2024-21626 +- [Docker buildkit Release 0.12.5](https://www.docker.com/blog/docker-security-advisory-multiple-vulnerabilities-in-runc-buildkit-and-moby/) - Fix for CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653 + +### Additional Resources + +- [Moby and Open Container Vulenrabilities - CISA](https://www.cisa.gov/news-events/alerts/2024/02/01/moby-and-open-container-initiative-release-critical-updates-multiple-vulnerabilities-affecting) +- [Synk "leaky vessels" report](https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/) From 784eb8c881eaa21fb7dcf56bee9e1f4d858ec037 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Fri, 2 Feb 2024 07:12:39 +0000 Subject: [PATCH 08/24] Format markdown files --- .../20240202002-Docker-Container-Vulnerabilities.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/advisories/20240202002-Docker-Container-Vulnerabilities.md b/docs/advisories/20240202002-Docker-Container-Vulnerabilities.md index 613cae69..3214a789 100644 --- a/docs/advisories/20240202002-Docker-Container-Vulnerabilities.md +++ b/docs/advisories/20240202002-Docker-Container-Vulnerabilities.md @@ -6,12 +6,12 @@ An attacker could use the core container infrastructure components of docker con ## What is vulnerable? -| Component(s) Affected | CVE | Severity | CVSS | -| ------------------------------------------------------ | ----------------------------------------------------------------- | -------- | ---- | -| OCI runc | [CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | **High** | 8.6 | -| Buildkit Mount | [CVE-2024-23653](https://nvd.nist.gov/vuln/detail/CVE-2024-23651) | **High** | 8.7 | -| Buildkit GRPC SecurityMode | [CVE-2024-23653](https://nvd.nist.gov/vuln/detail/CVE-2024-23653) | **Critical** | 10.0 | -| BuildKit Buildtime | [CVE-2024-23652](https://nvd.nist.gov/vuln/detail/CVE-2024-23652) | **Critical** | 9.8 | +| Component(s) Affected | CVE | Severity | CVSS | +| -------------------------- | ----------------------------------------------------------------- | ------------ | ---- | +| OCI runc | [CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626) | **High** | 8.6 | +| Buildkit Mount | [CVE-2024-23653](https://nvd.nist.gov/vuln/detail/CVE-2024-23651) | **High** | 8.7 | +| Buildkit GRPC SecurityMode | [CVE-2024-23653](https://nvd.nist.gov/vuln/detail/CVE-2024-23653) | **Critical** | 10.0 | +| BuildKit Buildtime | [CVE-2024-23652](https://nvd.nist.gov/vuln/detail/CVE-2024-23652) | **Critical** | 9.8 | ## What has been observed? From 5757d90b0a8c6d3ed418016b24e2e541d8678f60 Mon Sep 17 00:00:00 2001 From: Adon Metcalfe Date: Mon, 5 Feb 2024 11:28:01 +0800 Subject: [PATCH 09/24] Update sentinel-guidance.md Guidance on manual rule deployment --- docs/onboarding/sentinel-guidance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/onboarding/sentinel-guidance.md b/docs/onboarding/sentinel-guidance.md index c0c578d3..9e7f719d 100644 --- a/docs/onboarding/sentinel-guidance.md +++ b/docs/onboarding/sentinel-guidance.md @@ -22,7 +22,7 @@ Below is a rapid approach to get Microsoft workloads covered rapidly using Senti ## 3. Third party solutions (Telemetry re-ingestion) -[Deploy domain solutions with ASIM analytic rules](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and connect associated telemetry for relevant products. Note for large environments this can be costly, so moving to incident synchronisation only may be more effective (see next section). +[Deploy domain solutions with ASIM analytic rules](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and connect associated telemetry for relevant products. Note for large environments this can be costly, so moving to incident synchronisation only may be more effective (see next section). Installing the [ASIM Parsers](https://github.com/Azure/Azure-Sentinel/tree/master/ASIM) directly also makes developing and managing telemetry agnostic detection rules much easier. - [Endpoint Threat Protection Essentials](https://azuremarketplace.microsoft.com/en-GB/marketplace/apps/azuresentinel.azure-sentinel-solution-endpointthreat?tab=Overview) - [Security Threat Essentials](https://azuremarketplace.microsoft.com/en-GB/marketplace/apps/azuresentinel.azure-sentinel-solution-securitythreatessentialsol?tab=Overview) From e1e2afbd03ca451559ab3f6f694d528b16a66c63 Mon Sep 17 00:00:00 2001 From: Adon Metcalfe Date: Mon, 5 Feb 2024 11:38:51 +0800 Subject: [PATCH 10/24] Update data-sources.md move to more guided detection improvement approach --- docs/baselines/data-sources.md | 47 +++------------------------------- 1 file changed, 3 insertions(+), 44 deletions(-) diff --git a/docs/baselines/data-sources.md b/docs/baselines/data-sources.md index 220cf34e..37f62626 100644 --- a/docs/baselines/data-sources.md +++ b/docs/baselines/data-sources.md @@ -97,53 +97,12 @@ The security tools collecting telemetry should be capable of running both built- - [reprise99 Sentinel Queries](https://github.com/reprise99/Sentinel-Queries) - Some tips, tricks and examples for using KQL for Microsoft Sentinel. - [Sentinel custom content CI/CD](https://learn.microsoft.com/en-us/azure/sentinel/ci-cd?tabs=github) - How to create and manage connections between Microsoft Sentinel and GitHub or Azure DevOps repositories. Managing your content in an external repository allows you to make updates to that content outside of Microsoft Sentinel, and have it automatically deployed to your workspaces. -### 5.1 Microsoft Sentinel Detection Pack +### 5.1 Improving Microsoft Sentinel Detection Coverage !!! note "Under Review" - The below detection pack is currently being converted into an external content repository to enable better change management with git. + The WA SOC's older detection and automation packs are currently being converted into an [external content repository](https://learn.microsoft.com/en-us/azure/sentinel/ci-cd?tabs=github) to enable better change management with git. -The WA SOC has curated a pack of over 100 [analytics rules](https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-built-in) from [the unified Microsoft Sentinel and Microsoft 365 Defender repository](https://github.com/Azure/Azure-Sentinel) for rapid deployment (last updated Feb 2023): - -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fsoc.cyber.wa.gov.au%2Fonboarding%2Fwasoc-sentinel-rules-deployment.json) -[![Visualize](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/visualizebutton.svg?sanitize=true)](http://armviz.io/#/?load=https%3A%2F%2Fsoc.cyber.wa.gov.au%2Fonboarding%2Fwasoc-sentinel-rules-deployment.json) - -*The [ARM template](https://soc.cyber.wa.gov.au/onboarding/wasoc-sentinel-rules-deployment.json) can be deployed multiple times to install new and update existing rules. Rules deployed from this template will be updated in place, however there may be duplicate rules over time (it's worth scanning the names of analytics rules within a workspace, and removing the least recently modified ones after a deployment with the same name). Best practice is also to ensure any locally customised rules within your workspace have a prefix (to simplify distinguishing from externally sourced content).* - -![Mitre Mapping](../images/wasoc-analytics-mitre.png) - -Deploying the above resources doesn't require any connectors or incur any additional charges. Detections will be dependent on appropriate ingestion having been configured. This deployment also configures and makes use of the [Advanced Security Information Model (ASIM) parsers](https://learn.microsoft.com/EN-US/AZURE/sentinel/normalization-parsers-overview) for some analytics rules to enhance coverage across third party ingestion sources. - -Example [code is available](https://github.com/wagov/python-squ/blob/main/examples/export-analyticsrules.py) to export your own rules as a backup or to simplify sharing, the script by default packages ASIM rules as well into the ARM template to avoid validation issues. - -#### 5.1.1 Deployment Walkthrough and FAQ - -!!! info "Deployment Walkthrough Video" -