From 8aff6b412e39de70da551c9c9854ea97a8a8b16c Mon Sep 17 00:00:00 2001 From: Trent Liffick Date: Thu, 14 May 2020 22:58:23 -0400 Subject: [PATCH 1/6] added rule for Blue Mockingbird (cryptominer) --- .../malware/win_mal_blue_mockingbird.yml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 rules/windows/malware/win_mal_blue_mockingbird.yml diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/win_mal_blue_mockingbird.yml new file mode 100644 index 000000000..52a54998d --- /dev/null +++ b/rules/windows/malware/win_mal_blue_mockingbird.yml @@ -0,0 +1,43 @@ +title: Blue Mockingbird +id: c3198a27-23a0-4c2c-af19-e5328d49680e +status: experimental +description: Attempts to detect system changes made by Monero miner +references: + - https://redcanary.com/blog/blue-mockingbird-cryptominer/ +tags: + - attack.execution + - attack.t1112 + - attack.1047 +author: Trent Liffick +date: 2020/05/14 +--- +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: '*\cmd.exe' + CommandLine|contains|all: + - '*sc config*' + - '*wercplsupporte.dll*' +--- +logsource: + category: process_creation + product: windows +detection: + selection2: + Image: '*\wmic.exe' + CommandLine: '*COR_PROFILER' +--- +logsource: + product: windows + service: sysmon +detection: + selection3: + EventID: 13 + TargetObject: + - '*\SYSTEM\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' + condition: selection1 or selection2 or selection3 +falsepositives: + - unknown +level: high From fb1d8d7a76c45451ac1d14829d812ae5961493fe Mon Sep 17 00:00:00 2001 From: Trent Liffick Date: Thu, 14 May 2020 23:04:14 -0400 Subject: [PATCH 2/6] Corrected typo --- rules/windows/malware/win_mal_blue_mockingbird.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/win_mal_blue_mockingbird.yml index 52a54998d..aa198d309 100644 --- a/rules/windows/malware/win_mal_blue_mockingbird.yml +++ b/rules/windows/malware/win_mal_blue_mockingbird.yml @@ -7,7 +7,7 @@ references: tags: - attack.execution - attack.t1112 - - attack.1047 + - attack.t1047 author: Trent Liffick date: 2020/05/14 --- From 56a2747a7062e2205f729f19ef34535f80c24c9d Mon Sep 17 00:00:00 2001 From: Trent Liffick Date: Thu, 14 May 2020 23:18:33 -0400 Subject: [PATCH 3/6] Corrected missing condition learning! fail fast & forward --- rules/windows/malware/win_mal_blue_mockingbird.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/win_mal_blue_mockingbird.yml index aa198d309..1ace83769 100644 --- a/rules/windows/malware/win_mal_blue_mockingbird.yml +++ b/rules/windows/malware/win_mal_blue_mockingbird.yml @@ -1,7 +1,7 @@ title: Blue Mockingbird id: c3198a27-23a0-4c2c-af19-e5328d49680e status: experimental -description: Attempts to detect system changes made by Monero miner +description: Attempts to detect system changes made by Blue Mockingbird references: - https://redcanary.com/blog/blue-mockingbird-cryptominer/ tags: @@ -20,6 +20,7 @@ detection: CommandLine|contains|all: - '*sc config*' - '*wercplsupporte.dll*' + condition: selection1 --- logsource: category: process_creation @@ -28,6 +29,7 @@ detection: selection2: Image: '*\wmic.exe' CommandLine: '*COR_PROFILER' + condition: selection2 --- logsource: product: windows @@ -37,7 +39,7 @@ detection: EventID: 13 TargetObject: - '*\SYSTEM\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' - condition: selection1 or selection2 or selection3 + condition: selection3 falsepositives: - unknown level: high From 40ab1b7247e52be5ff01429a0d6b9b80656aedb2 Mon Sep 17 00:00:00 2001 From: Trent Liffick Date: Thu, 14 May 2020 23:33:08 -0400 Subject: [PATCH 4/6] added 'action: global' --- .../malware/win_mal_blue_mockingbird.yml | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/win_mal_blue_mockingbird.yml index 1ace83769..54f2c08ad 100644 --- a/rules/windows/malware/win_mal_blue_mockingbird.yml +++ b/rules/windows/malware/win_mal_blue_mockingbird.yml @@ -1,3 +1,4 @@ +action: global title: Blue Mockingbird id: c3198a27-23a0-4c2c-af19-e5328d49680e status: experimental @@ -8,38 +9,38 @@ tags: - attack.execution - attack.t1112 - attack.t1047 -author: Trent Liffick +author: Trent Liffick (@tliffick) date: 2020/05/14 +falsepositives: + - unknown +level: high --- logsource: category: process_creation product: windows detection: - selection1: + exec_selection: Image: '*\cmd.exe' CommandLine|contains|all: - '*sc config*' - '*wercplsupporte.dll*' - condition: selection1 + condition: exec_selection --- logsource: category: process_creation product: windows detection: - selection2: + wmic_cmd: Image: '*\wmic.exe' CommandLine: '*COR_PROFILER' - condition: selection2 + condition: wmic_cmd --- logsource: product: windows service: sysmon detection: - selection3: + mod_reg: EventID: 13 TargetObject: - '*\SYSTEM\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' - condition: selection3 -falsepositives: - - unknown -level: high + condition: mod_reg From 28dc2a22672e5959e3920a08fa5c17f35a0351f5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 15 May 2020 11:33:36 +0200 Subject: [PATCH 5/6] Minor changes hints: - contains doesn't require wildcards in the strings - we can use 'endswith' instead of wildcard at the beginning of the string (it's the new way to describe it, we have to change all old rules that contain these wildcards some day) - we can use "1 of them" to say that 1 of the conditions has to match --- .../malware/win_mal_blue_mockingbird.yml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/win_mal_blue_mockingbird.yml index 54f2c08ad..d7ce7fa34 100644 --- a/rules/windows/malware/win_mal_blue_mockingbird.yml +++ b/rules/windows/malware/win_mal_blue_mockingbird.yml @@ -14,26 +14,25 @@ date: 2020/05/14 falsepositives: - unknown level: high +condition: 1 of them --- logsource: category: process_creation product: windows detection: exec_selection: - Image: '*\cmd.exe' + Image|endswith: '\cmd.exe' CommandLine|contains|all: - - '*sc config*' - - '*wercplsupporte.dll*' - condition: exec_selection + - 'sc config' + - 'wercplsupporte.dll' --- logsource: category: process_creation product: windows detection: wmic_cmd: - Image: '*\wmic.exe' - CommandLine: '*COR_PROFILER' - condition: wmic_cmd + Image|endswith: '\wmic.exe' + CommandLine|endswith: 'COR_PROFILER' --- logsource: product: windows @@ -41,6 +40,5 @@ logsource: detection: mod_reg: EventID: 13 - TargetObject: - - '*\SYSTEM\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' - condition: mod_reg + TargetObject|endswith: + - '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' From beb62dc163ee995a9fbe362807c132bf8edd1e09 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 15 May 2020 12:06:34 +0200 Subject: [PATCH 6/6] fix: condition location --- rules/windows/malware/win_mal_blue_mockingbird.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/win_mal_blue_mockingbird.yml index d7ce7fa34..c40f28d76 100644 --- a/rules/windows/malware/win_mal_blue_mockingbird.yml +++ b/rules/windows/malware/win_mal_blue_mockingbird.yml @@ -14,7 +14,8 @@ date: 2020/05/14 falsepositives: - unknown level: high -condition: 1 of them +detection: + condition: 1 of them --- logsource: category: process_creation