Sigma rules for CVE-2023-25261
10 rules · scoped to cve · back to CVE-2023-25261
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: PUA - DIT Snapshot Viewer
id: d3b70aad-097e-409c-9df2-450f80dc476b
status: test
description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
references:
- https://thedfirreport.com/2020/06/21/snatch-ransomware/
- https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap
author: Furkan Caliskan (@caliskanfurkan_)
date: 2020-07-04
modified: 2023-02-21
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\ditsnap.exe'
- CommandLine|contains: 'ditsnap.exe'
condition: selection
falsepositives:
- Legitimate admin usage
level: high
title: UAC Bypass Using Event Viewer RecentViews
id: 30fc8de7-d833-40c4-96b6-28319fbc4f6c
related:
- id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
type: similar
status: test
description: Detects the pattern of UAC Bypass using Event Viewer RecentViews
references:
- https://twitter.com/orange_8361/status/1518970259868626944
- https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-22
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_path:
# Example: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
CommandLine|contains:
- '\Event Viewer\RecentViews'
- '\EventV~1\RecentViews'
selection_redirect:
CommandLine|contains: '>'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Potentially Suspicious Event Viewer Child Process
id: be344333-921d-4c4d-8bb8-e584cf584780
related:
- id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
type: derived
status: test
description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2023-09-28
tags:
- attack.privilege-escalation
- attack.t1548.002
- car.2019-04-001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\eventvwr.exe'
filter_main_generic:
Image|endswith:
- ':\Windows\System32\mmc.exe'
- ':\Windows\System32\WerFault.exe'
- ':\Windows\SysWOW64\WerFault.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Bypass UAC Using Event Viewer
id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af
status: test
description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd
author: frack113
date: 2022-01-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.010
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '_Classes\mscfile\shell\open\command\(Default)'
filter:
Details|startswith: '%SystemRoot%\system32\mmc.exe "%1" %'
condition: selection and not filter
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml
simulation:
- type: atomic-red-team
name: Bypass UAC using Event Viewer (cmd)
technique: T1548.002
atomic_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9
title: UAC Bypass via Event Viewer
id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
status: test
description: Detects UAC bypass method using Windows event viewer
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2023-09-28
tags:
- attack.privilege-escalation
- attack.t1548.002
- car.2019-04-001
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\mscfile\shell\open\command'
condition: selection
falsepositives:
- Unknown
level: high
title: PUA - Radmin Viewer Utility Execution
id: 5817e76f-4804-41e6-8f1d-5fa0b3ecae2d
status: test
description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md
- https://www.radmin.fr/
author: frack113
date: 2022-01-22
modified: 2023-12-11
tags:
- attack.execution
- attack.lateral-movement
- attack.t1072
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'Radmin Viewer'
- Product: 'Radmin Viewer'
- OriginalFileName: 'Radmin.exe'
condition: selection
falsepositives:
- Unknown
level: medium
title: Potential Persistence Via Event Viewer Events.asp
id: a1e11042-a74a-46e6-b07c-c4ce8ecc239b
status: test
description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
references:
- https://twitter.com/nas_bench/status/1626648985824788480
- https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks
- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
- https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-17
modified: 2023-03-05
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
# Covers both "\Policies\" and "\Software\" paths for both "Machine" and "User" level configs
# Also "MicrosoftRedirectionProgramCommandLineParameters" key
TargetObject|contains:
- '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
- '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionURL'
filter_default_redirect_program:
Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
Details: '%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe'
filter_default_redirect_program_cli:
Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters'
Details: '-url hcp://services/centers/support?topic=%%s'
filter_url:
Details: 'http://go.microsoft.com/fwlink/events.asp'
filter_cleaner:
Details: '(Empty)'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: medium
title: Remote Access Tool - Team Viewer Session Started On MacOS Host
id: f459ccb4-9805-41ea-b5b2-55e279e2424a
related:
- id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
type: similar
- id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
type: similar
status: test
description: |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
- Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|endswith: '/TeamViewer_Service'
Image|endswith: '/TeamViewer_Desktop'
CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
condition: selection
falsepositives:
- Legitimate usage of TeamViewer
level: low
title: Remote Access Tool - Team Viewer Session Started On Linux Host
id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
related:
- id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
type: similar
- id: f459ccb4-9805-41ea-b5b2-55e279e2424a
type: similar
status: test
description: |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
- Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/TeamViewer_Service'
Image|endswith: '/TeamViewer_Desktop'
CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
condition: selection
falsepositives:
- Legitimate usage of TeamViewer
level: low
title: Remote Access Tool - Team Viewer Session Started On Windows Host
id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
related:
- id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
type: similar
- id: f459ccb4-9805-41ea-b5b2-55e279e2424a
type: similar
status: test
description: |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
- Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: windows
detection:
selection:
Image: 'TeamViewer_Desktop.exe'
ParentImage: 'TeamViewer_Service.exe'
CommandLine|endswith: 'TeamViewer_Desktop.exe --IPCport 5939 --Module 1'
condition: selection
falsepositives:
- Legitimate usage of TeamViewer
level: low