Merge PR #4698 from @swachchhanda000 - Added rules that detect possib…

…le activities associated with services and modules enumeration new: Interesting Service Enumeration Via Sc.EXE new: Loaded Module Enumeration Via Tasklist.EXE fix: SC.EXE Query Execution - Add keybase filter --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
SigmaHQ · Feb 12, 2024 · 7509f6a · 7509f6a
1 parent 2acebc9
commit 7509f6a
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 4 deletions.
diff --git a/...s_creation/proc_creation_win_sc_query.yml → ...s_creation/proc_creation_win_sc_query.yml b/...s_creation/proc_creation_win_sc_query.yml → ...s_creation/proc_creation_win_sc_query.yml
@@ -6,20 +6,23 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery
 author: frack113
 date: 2021/12/06
-modified: 2022/11/10
+modified: 2024/02/08
 tags:
     - attack.discovery
     - attack.t1007
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
 detection:
     selection_img:
         Image|endswith: '\sc.exe'
-        OriginalFileName|endswith: 'sc.exe'
+        OriginalFileName: 'sc.exe'
     selection_cli:
         CommandLine|contains: ' query'
-    condition: all of selection_*
+    filter_optional_keybase:
+        CommandLine: 'sc query dokan1'
+    condition: all of selection_* and not 1 of filter_optional_*
 falsepositives:
     - Legitimate query of a service by an administrator to get more information such as the state or PID
     - Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1"

diff --git a/...creation_win_tasklist_basic_execution.yml → ...creation_win_tasklist_basic_execution.yml b/...creation_win_tasklist_basic_execution.yml → ...creation_win_tasklist_basic_execution.yml
@@ -10,6 +10,7 @@ modified: 2022/12/25
 tags:
     - attack.discovery
     - attack.t1057
+    - detection.threat_hunting
 logsource:
     category: process_creation
     product: windows
@@ -20,5 +21,5 @@ detection:
         - OriginalFileName: 'tasklist.exe'
     condition: selection
 falsepositives:
-    - Administrator, hotline ask to user
+    - Likely from users, administrator and different internal and third party applications.
 level: informational
diff --git a/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml b/rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml
@@ -0,0 +1,30 @@
+title: Interesting Service Enumeration Via Sc.EXE
+id: e83e8899-c9b2-483b-b355-5decc942b959
+status: experimental
+description: |
+    Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
+    Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
+references:
+    - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+    - https://pentestlab.blog/tag/svchost/
+author: Swachchhanda Shrawan Poudel
+date: 2024/02/12
+tags:
+    - attack.t1003
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\sc.exe'
+        - OriginalFileName: 'sc.exe'
+    selection_cli:
+        CommandLine|contains: 'query'
+    selection_cmd:
+        # Note: add more interesting services
+        CommandLine|contains: 'termservice'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+# Note: can be upgraded to medium after an initial baseline
+level: low
diff --git a/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml b/rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml
@@ -0,0 +1,32 @@
+title: Loaded Module Enumeration Via Tasklist.EXE
+id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
+status: experimental
+description: |
+    Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
+    This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
+    In order to dump the process memory or perform other nefarious actions.
+references:
+    - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
+    - https://pentestlab.blog/tag/svchost/
+author: Swachchhanda Shrawan Poudel
+date: 2024/02/12
+tags:
+    - attack.t1003
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\tasklist.exe'
+        - OriginalFileName: 'tasklist.exe'
+    selection_flags:
+        CommandLine|contains:
+            - '/m'
+            - '-m'
+    selection_module:
+        # Note: add other interesting modules or binaries
+        CommandLine|contains: 'rdpcorets.dll'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium