title: Cross Site Scripting Strings
id: 65354b83-a2ea-4ea6-8414-3ab38be0d409
status: test
description: Detects XSS attempts injected via GET requests in access logs
references:
    - https://github.com/payloadbox/xss-payload-list
    - https://portswigger.net/web-security/cross-site-scripting/contexts
author: Saw Win Naung, Nasreddine Bencherchali
date: 2021-08-15
modified: 2022-06-14
tags:
    - attack.initial-access
    - attack.t1189
logsource:
    category: webserver
detection:
    select_method:
        cs-method: 'GET'
    keywords:
        - '=<script>'
        - '=%3Cscript%3E'
        - '=%253Cscript%253E'
        - '<iframe '
        - '%3Ciframe '
        - '<svg '
        - '%3Csvg '
        - 'document.cookie'
        - 'document.domain'
        - ' onerror='
        - ' onresize='
        - ' onload="'
        - 'onmouseover='
        - '${alert'
        - 'javascript:alert'
        - 'javascript%3Aalert'
    filter:
        sc-status: 404
    condition: select_method and keywords and not filter
falsepositives:
    - JavaScripts,CSS Files and PNG files
    - User searches in search boxes of the respective website
    - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high

title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1189
    - attack.execution
    - attack.t1204.002
    - attack.t1036.005
logsource:
    category: proxy
detection:
    selection:
        - c-uri|contains: '/flash_install.php'
        - c-uri|endswith: '/install_flash_player.exe'
    filter:
        cs-host|endswith: '.adobe.com'
    condition: selection and not filter
falsepositives:
    - Unknown flash download locations
level: high

title: Suspicious Browser Child Process - MacOS
id: 0250638a-2b28-4541-86fc-ea4c558fa0c6
status: test
description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
references:
    - https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang
    - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml
author: Sohan G (D4rkCiph3r)
date: 2023-04-05
tags:
    - attack.initial-access
    - attack.execution
    - attack.t1189
    - attack.t1203
    - attack.t1059
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        ParentImage|contains:
            - 'com.apple.WebKit.WebContent'
            - 'firefox'
            - 'Google Chrome Helper'
            - 'Google Chrome'
            - 'Microsoft Edge'
            - 'Opera'
            - 'Safari'
            - 'Tor Browser'
        Image|endswith:
            - '/bash'
            - '/curl'
            - '/dash'
            - '/ksh'
            - '/osascript'
            - '/perl'
            - '/php'
            - '/pwsh'
            - '/python'
            - '/sh'
            - '/tcsh'
            - '/wget'
            - '/zsh'
    filter_main_generic:
        CommandLine|contains: '--defaults-torrc' # Informs tor to use default config file
    filter_main_ms_autoupdate:
        CommandLine|contains: '/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate' # Microsoft AutoUpdate utility
    filter_main_chrome:
        ParentImage|contains:
            - 'Google Chrome Helper'
            - 'Google Chrome'
        CommandLine|contains:
            - '/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh' # Install the Google Chrome browser
            - '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_preflight.sh' # Updates the Google Chrome branding configuration files
            - '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_postflight.sh' # Script that performs the post-installation tasks
    filter_main_ms_edge:
        ParentImage|contains: 'Microsoft Edge'
        CommandLine|contains:
            - 'IOPlatformExpertDevice' # Retrieves the IOPlatformUUID (parent process - Microsoft Edge)
            - 'hw.model' # Retrieves model name of the computer's hardware (parent process - Microsoft Edge)
    filter_main_chromerecovery:
        ParentImage|contains:
            - 'Google Chrome Helper'
            - 'Google Chrome'
        CommandLine|contains|all:
            - '/Users/'
            - '/Library/Application Support/Google/Chrome/recovery/'
            - '/ChromeRecovery'
    filter_optional_null:
        # Aoids alerting for the events which do not have command-line arguments
        CommandLine: null
    filter_optional_empty:
        # Aoids alerting for the events which do not have command-line arguments
        CommandLine: ''
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate browser install, update and recovery scripts
level: medium