[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Rule: proc_creation_win_renamed_ssh.yml #4971

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

Add Rule: proc_creation_win_renamed_ssh.yml #4971

wants to merge 4 commits into from

Conversation

omaramin17
Copy link
Contributor

Summary of the Pull Request

This PR adds detection for the renaming of the SSH client on Windows, based on the following reference: Rapid7 Blog on Black Basta Ransomware.

Black Basta ransomware operators downloaded a zip archive containing a legitimate copy of OpenSSH for Windows, which was ultimately renamed to RuntimeBroker.exe.

Changelog

new: Renamed SSH Client of Windows

Example Log Event

Execution of SSH client for Windows renamed to asdf.exe 

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
        <EventID>7</EventID>
        <Version>3</Version>
        <Level>4</Level>
        <Task>7</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime='2024-08-15T08:46:16.9016070Z'/>
        <EventRecordID>158024818</EventRecordID>
        <Correlation/>
        <Execution ProcessID='6312' ThreadID='8660'/>
        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
        <Computer>REDACTED</Computer>
        <Security UserID='S-1-5-18'/>
    </System>
    <EventData>
        <Data Name='RuleName'>-</Data>
        <Data Name='UtcTime'>2024-08-15 08:46:16.887</Data>
        <Data Name='ProcessGuid'>{f3beb03c-c058-66bd-f486-000000002601}</Data>
        <Data Name='ProcessId'>21876</Data>
        <Data Name='Image'>C:\Users\redacted\Desktop\asdf.exe</Data>
        <Data Name='ImageLoaded'>C:\Users\redacted\Desktop\asdf.exe</Data>
        <Data Name='FileVersion'>8.1.0.1</Data>
        <Data Name='Description'>-</Data>
        <Data Name='Product'>OpenSSH for Windows</Data>
        <Data Name='Company'>-</Data>
        <Data Name='OriginalFileName'>-</Data>
        <Data Name='Hashes'>SHA1=A0D1A4F068ED3ED585E5CEC6C787521B1C0D2D64,MD5=C05426E6F6DFB30FB78FBA874A2FF7DC,SHA256=722BEE41CCF54B88660C0E67ADEB2C9612C18D739E5A8EB8C35C3D7066A95871,IMPHASH=91C272778494F545A220F3E427777252</Data>
        <Data Name='Signed'>true</Data>
        <Data Name='Signature'>Microsoft Windows</Data>
        <Data Name='SignatureStatus'>Valid</Data>
        <Data Name='User'>REDACTED</Data>
    </EventData>
</Event>

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
        <EventID>1</EventID>
        <Version>5</Version>
        <Level>4</Level>
        <Task>1</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime='2024-08-15T08:46:16.8874100Z'/>
        <EventRecordID>158024792</EventRecordID>
        <Correlation/>
        <Execution ProcessID='6312' ThreadID='8504'/>
        <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
        <Computer>REDACTED</Computer>
        <Security UserID='S-1-5-18'/>
    </System>
    <EventData>
        <Data Name='RuleName'>-</Data>
        <Data Name='UtcTime'>2024-08-15 08:46:16.878</Data>
        <Data Name='ProcessGuid'>{f3beb03c-c058-66bd-f486-000000002601}</Data>
        <Data Name='ProcessId'>21876</Data>
        <Data Name='Image'>C:\Users\redacted\Desktop\asdf.exe</Data>
        <Data Name='FileVersion'>8.1.0.1</Data>
        <Data Name='Description'>-</Data>
        <Data Name='Product'>OpenSSH for Windows</Data>
        <Data Name='Company'>-</Data>
        <Data Name='OriginalFileName'>-</Data>
        <Data Name='CommandLine'>asdf.exe</Data>
        <Data Name='CurrentDirectory'>C:\Users\redacted\Desktop\</Data>
        <Data Name='User'>REDACTED</Data>
        <Data Name='LogonGuid'>{f3beb03c-cacc-66bc-b6da-450000000000}</Data>
        <Data Name='LogonId'>0x45dab6</Data>
        <Data Name='TerminalSessionId'>1</Data>
        <Data Name='IntegrityLevel'>High</Data>
        <Data Name='Hashes'>SHA1=A0D1A4F068ED3ED585E5CEC6C787521B1C0D2D64,MD5=C05426E6F6DFB30FB78FBA874A2FF7DC,SHA256=722BEE41CCF54B88660C0E67ADEB2C9612C18D739E5A8EB8C35C3D7066A95871,IMPHASH=91C272778494F545A220F3E427777252</Data>
        <Data Name='ParentProcessGuid'>{f3beb03c-c053-66bd-f186-000000002601}</Data>
        <Data Name='ParentProcessId'>44336</Data>
        <Data Name='ParentImage'>C:\Windows\System32\cmd.exe</Data>
        <Data Name='ParentCommandLine'>"C:\Windows\system32\cmd.exe" </Data>
        <Data Name='ParentUser'>REDACTED</Data>
    </EventData>
</Event>

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Aug 15, 2024
@nasbench nasbench self-assigned this Aug 15, 2024
nasbench
nasbench reviewed Aug 20, 2024
View reviewed changes
rules/windows/process_creation/proc_creation_win_renamed_ssh.yml
Comment on lines +19 to +20
Product|contains: 'OpenSSH for Windows'
Hashes|contains: "IMPHASH=91C272778494F545A220F3E427777252"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this meant to be an "OR" condition or an "AND"? Also the Imphash you used is not the one from the sample mentioned in the report. Can you clarify from where you got it?

rules/windows/process_creation/proc_creation_win_renamed_ssh.yml
Product|contains: 'OpenSSH for Windows'
Hashes|contains: "IMPHASH=91C272778494F545A220F3E427777252"
filter:
Image|contains: 'ssh'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is targeting OpenSSH, the location is known to be C:\Windows\System32\OpenSSH\ssh.exe. Other instances of SSH with that product name do not exist. Usually SSH present on windows are from third party.

Why did you choose to have a "contains"?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@omaramin17 ping?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@omaramin17 last ping before closing this for inactivity

@nasbench nasbench added the Author Input Required changes the require information from original author of the rules label Aug 20, 2024
@nasbench nasbench marked this pull request as draft August 29, 2024 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench left review comments

Assignees

@nasbench nasbench

Labels
Author Input Required changes the require information from original author of the rules Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@omaramin17 @nasbench