Merge PR #4530 from @frack113 - Pingcastle PUA

new: PUA - PingCastle Execution
new: PUA - PingCastle Execution From Potentially Suspicious Parent
new: Renamed PingCastle Binary Execution
---------

Co-authored-by: Nasreddine Bencherchali <[email protected]>
Co-authored-by: phantinuss <[email protected]>

rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml

@@ -0,0 +1,185 @@
+title: PUA - PingCastle Execution
+id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
+related:
+    - id: b37998de-a70b-4f33-b219-ec36bf433dc0
+      type: derived
+status: experimental
+description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
+references:
+    - https://github.com/vletoux/pingcastle
+    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
+    - https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
+    - https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
+    - https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
+    - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
+    - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
+author: Nasreddine Bencherchali (Nextron Systems), frack113
+date: 2024/01/11
+tags:
+    - attack.reconnaissance
+    - attack.t1595
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Hashes|contains:
+              # PingCastle.exe
+              - 'MD5=f741f25ac909ee434e50812d436c73ff'
+              - 'MD5=d40acbfc29ee24388262e3d8be16f622'
+              - 'MD5=01bb2c16fadb992fa66228cd02d45c60'
+              - 'MD5=9e1b18e62e42b5444fc55b51e640355b'
+              - 'MD5=b7f8fe33ac471b074ca9e630ba0c7e79'
+              - 'MD5=324579d717c9b9b8e71d0269d13f811f'
+              - 'MD5=63257a1ddaf83cfa43fe24a3bc06c207'
+              - 'MD5=049e85963826b059c9bac273bb9c82ab'
+              - 'MD5=ecb98b7b4d4427eb8221381154ff4cb2'
+              - 'MD5=faf87749ac790ec3a10dd069d10f9d63'
+              - 'MD5=f296dba5d21ad18e6990b1992aea8f83'
+              - 'MD5=93ba94355e794b6c6f98204cf39f7a11'
+              - 'MD5=a258ef593ac63155523a461ecc73bdba'
+              - 'MD5=97000eb5d1653f1140ee3f47186463c4'
+              - 'MD5=95eb317fbbe14a82bd9fdf31c48b8d93'
+              - 'MD5=32fe9f0d2630ac40ea29023920f20f49'
+              - 'MD5=a05930dde939cfd02677fc18bb2b7df5'
+              - 'MD5=124283924e86933ff9054a549d3a268b'
+              - 'MD5=ceda6909b8573fdeb0351c6920225686'
+              - 'MD5=60ce120040f2cd311c810ae6f6bbc182'
+              - 'MD5=2f10cdc5b09100a260703a28eadd0ceb'
+              - 'MD5=011d967028e797a4c16d547f7ba1463f'
+              - 'MD5=2da9152c0970500c697c1c9b4a9e0360'
+              - 'MD5=b5ba72034b8f44d431f55275bace9f8b'
+              - 'MD5=d6ed9101df0f24e27ff92ddab42dacca'
+              - 'MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d'
+              - 'MD5=5e083cd0143ae95a6cb79b68c07ca573'
+              - 'MD5=28caff93748cb84be70486e79f04c2df'
+              - 'MD5=9d4f12c30f9b500f896efd1800e4dd11'
+              - 'MD5=4586f7dd14271ad65a5fb696b393f4c0'
+              - 'MD5=86ba9dddbdf49215145b5bcd081d4011'
+              - 'MD5=9dce0a481343874ef9a36c9a825ef991'
+              - 'MD5=85890f62e231ad964b1fda7a674747ec'
+              - 'MD5=599be548da6441d7fe3e9a1bb8cb0833'
+              - 'MD5=9b0c7fd5763f66e9b8c7b457fce53f96'
+              - 'MD5=32d45718164205aec3e98e0223717d1d'
+              - 'MD5=6ff5f373ee7f794cd17db50704d00ddb'
+              - 'MD5=88efbdf41f0650f8f58a3053b0ca0459'
+              - 'MD5=ef915f61f861d1fb7cbde9afd2e7bd93'
+              - 'MD5=781fa16511a595757154b4304d2dd350'
+              - 'MD5=5018ec39be0e296f4fc8c8575bfa8486'
+              - 'MD5=f4a84d6f1caf0875b50135423d04139f'
+              - 'SHA1=9c1431801fa6342ed68f047842b9a11778fc669b'
+              - 'SHA1=c36c862f40dad78cb065197aad15fef690c262f2'
+              - 'SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d'
+              - 'SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f'
+              - 'SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa'
+              - 'SHA1=f14c9633040897d375e3069fddc71e859f283778'
+              - 'SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc'
+              - 'SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937'
+              - 'SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36'
+              - 'SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b'
+              - 'SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc'
+              - 'SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11'
+              - 'SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995'
+              - 'SHA1=607e1fa810c799735221a609af3bfc405728c02d'
+              - 'SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3'
+              - 'SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a'
+              - 'SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491'
+              - 'SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178'
+              - 'SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4'
+              - 'SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84'
+              - 'SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea'
+              - 'SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17'
+              - 'SHA1=81d67b3d70c4e855cb11a453cc32997517708362'
+              - 'SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad'
+              - 'SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2'
+              - 'SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92'
+              - 'SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1'
+              - 'SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a'
+              - 'SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db'
+              - 'SHA1=3150f14508ee4cae19cf09083499d1cda8426540'
+              - 'SHA1=036ad9876fa552b1298c040e233d620ea44689c6'
+              - 'SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5'
+              - 'SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c'
+              - 'SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d'
+              - 'SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4'
+              - 'SHA1=c82152cddf9e5df49094686531872ecd545976db'
+              - 'SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61'
+              - 'SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836'
+              - 'SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719'
+              - 'SHA1=34c0c5839af1c92bce7562b91418443a2044c90d'
+              - 'SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08'
+              - 'SHA1=3a515551814775df0ccbe09f219bc972eae45a10'
+              - 'SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b'
+              - 'SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85'
+              - 'SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03'
+              - 'SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795'
+              - 'SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f'
+              - 'SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a'
+              - 'SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275'
+              - 'SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b'
+              - 'SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2'
+              - 'SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae'
+              - 'SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6'
+              - 'SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a'
+              - 'SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1'
+              - 'SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559'
+              - 'SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2'
+              - 'SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef'
+              - 'SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d'
+              - 'SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524'
+              - 'SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b'
+              - 'SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b'
+              - 'SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629'
+              - 'SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358'
+              - 'SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca'
+              - 'SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea'
+              - 'SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172'
+              - 'SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4'
+              - 'SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2'
+              - 'SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66'
+              - 'SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27'
+              - 'SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41'
+              - 'SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1'
+              - 'SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0'
+              - 'SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8'
+              - 'SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d'
+              - 'SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726'
+              - 'SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90'
+              - 'SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5'
+              - 'SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140'
+              - 'SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87'
+              - 'SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892'
+              - 'SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054'
+              - 'SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd'
+        - Image|endswith: '\PingCastle.exe'
+        - OriginalFileName: PingCastle.exe
+        - Product: 'Ping Castle'
+        - CommandLine|contains:
+              - '--scanner aclcheck'
+              - '--scanner antivirus'
+              - '--scanner computerversion'
+              - '--scanner foreignusers'
+              - '--scanner laps_bitlocker'
+              - '--scanner localadmin'
+              - '--scanner nullsession'
+              - '--scanner nullsession-trust'
+              - '--scanner oxidbindings'
+              - '--scanner remote'
+              - '--scanner share'
+              - '--scanner smb'
+              - '--scanner smb3querynetwork'
+              - '--scanner spooler'
+              - '--scanner startup'
+              - '--scanner zerologon'
+        - CommandLine|contains: '--no-enum-limit'
+        - CommandLine|contains|all:
+              - '--healthcheck'
+              - '--level Full'
+        - CommandLine|contains|all:
+              - '--healthcheck'
+              - '--server '
+    condition: selection
+falsepositives:
+    - Unknown
+# Note: As this is a PUA the level may vary depending on your environment. Reduce or increase the level as you see fit
+level: medium

rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml

@@ -0,0 +1,90 @@
+title: PUA - PingCastle Execution From Potentially Suspicious Parent
+id: b37998de-a70b-4f33-b219-ec36bf433dc0
+related:
+    - id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
+      type: derived
+status: experimental
+description: |
+    Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
+references:
+    - https://github.com/vletoux/pingcastle
+    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
+    - https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
+    - https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
+    - https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
+    - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
+    - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
+author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+date: 2024/01/11
+tags:
+    - attack.reconnaissance
+    - attack.t1595
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent_ext:
+        ParentCommandLine|contains:
+            - '.bat'
+            - '.chm'
+            - '.cmd'
+            - '.hta'
+            - '.htm'
+            - '.html'
+            - '.js'
+            - '.lnk'
+            - '.ps1'
+            - '.vbe'
+            - '.vbs'
+            - '.wsf'
+    selection_parent_path_1:
+        ParentCommandLine|contains:
+            - ':\Perflogs\'
+            - ':\Temp\'
+            - ':\Users\Public\'
+            - ':\Windows\Temp\'
+            - '\AppData\Local\Temp'
+            - '\AppData\Roaming\'
+            - '\Temporary Internet'
+    selection_parent_path_2:
+        - ParentCommandLine|contains|all:
+              - ':\Users\'
+              - '\Favorites\'
+        - ParentCommandLine|contains|all:
+              - ':\Users\'
+              - '\Favourites\'
+        - ParentCommandLine|contains|all:
+              - ':\Users\'
+              - '\Contacts\'
+    selection_cli:
+        - Image|endswith: '\PingCastle.exe'
+        - OriginalFileName: PingCastle.exe
+        - Product: 'Ping Castle'
+        - CommandLine|contains:
+              - '--scanner aclcheck'
+              - '--scanner antivirus'
+              - '--scanner computerversion'
+              - '--scanner foreignusers'
+              - '--scanner laps_bitlocker'
+              - '--scanner localadmin'
+              - '--scanner nullsession'
+              - '--scanner nullsession-trust'
+              - '--scanner oxidbindings'
+              - '--scanner remote'
+              - '--scanner share'
+              - '--scanner smb'
+              - '--scanner smb3querynetwork'
+              - '--scanner spooler'
+              - '--scanner startup'
+              - '--scanner zerologon'
+        - CommandLine|contains: '--no-enum-limit'
+        - CommandLine|contains|all:
+              - '--healthcheck'
+              - '--level Full'
+        - CommandLine|contains|all:
+              - '--healthcheck'
+              - '--server '
+    condition: 1 of selection_parent_* and selection_parent_ext and selection_cli
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml

@@ -0,0 +1,56 @@
+title: Renamed PingCastle Binary Execution
+id: 2433a154-bb3d-42e4-86c3-a26bdac91c45
+status: experimental
+description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
+references:
+    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
+    - https://www.pingcastle.com/documentation/scanner/
+author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
+date: 2024/01/11
+tags:
+    - attack.execution
+    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1202
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - OriginalFileName:
+              - 'PingCastleReporting.exe'
+              - 'PingCastleCloud.exe'
+              - 'PingCastle.exe'
+        - CommandLine|contains:
+              - '--scanner aclcheck'
+              - '--scanner antivirus'
+              - '--scanner computerversion'
+              - '--scanner foreignusers'
+              - '--scanner laps_bitlocker'
+              - '--scanner localadmin'
+              - '--scanner nullsession'
+              - '--scanner nullsession-trust'
+              - '--scanner oxidbindings'
+              - '--scanner remote'
+              - '--scanner share'
+              - '--scanner smb'
+              - '--scanner smb3querynetwork'
+              - '--scanner spooler'
+              - '--scanner startup'
+              - '--scanner zerologon'
+        - CommandLine|contains: '--no-enum-limit'
+        - CommandLine|contains|all:
+              - '--healthcheck'
+              - '--level Full'
+        - CommandLine|contains|all:
+              - '--healthcheck'
+              - '--server '
+    filter_main_img:
+        Image|endswith:
+            - '\PingCastleReporting.exe'
+            - '\PingCastleCloud.exe'
+            - '\PingCastle.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: high