Merge pull request #3368 from nasbench/nasbench-rule-devel

New Rules + Update (Rule Dev)

rules/web/web_cve_2021_43798_grafana.yml

@@ -1,7 +1,7 @@
 title: Grafana Path Traversal Exploitation CVE-2021-43798
 id: 7b72b328-5708-414f-9a2a-6a6867c26e16
 status: experimental
-description: Detects a successful Grafana path traversal exploitation 
+description: Detects a successful Grafana path traversal exploitation
 author: Florian Roth
 references:
   - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/

rules/web/web_cve_2022_31656_auth_bypass.yml

@@ -0,0 +1,22 @@
+title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
+id: fcf1101d-07c9-49b2-ad81-7e421ff96d80
+status: experimental
+description: |
+    Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656
+    VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
+author: Nasreddine Bencherchali
+date: 2022/08/12
+references:
+    - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri|contains: '/SAAS/t/_/;/'
+    condition: selection
+falsepositives:
+    - Vulnerability scanners
+level: high
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/web/web_cve_2022_31659_vmware_rce.yml

@@ -0,0 +1,22 @@
+title: CVE-2022-31659 VMware Workspace ONE Access RCE
+id: efdb2003-a922-48aa-8f37-8b80021a9706
+status: experimental
+description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
+author: Nasreddine Bencherchali
+date: 2022/08/12
+references:
+    - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
+logsource:
+    category: webserver
+detection:
+    selection:
+        cs-method: 'POST'
+        c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the host header to look spot the difference between benign and malicious requests to this URL
+    condition: selection
+falsepositives:
+    - Vulnerability scanners
+    - Legitimate access to the URI
+level: medium
+tags:
+    - attack.initial_access
+    - attack.t1190

rules/windows/builtin/system/win_anydesk_service_installation.yml

@@ -0,0 +1,22 @@
+title: Anydesk Remote Access Software Service Installation
+id: 530a6faa-ff3d-4022-b315-50828e77eef5
+status: experimental
+description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
+author: Nasreddine Bencherchali
+references:
+    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
+date: 2022/08/11
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
+        ServiceName: 'AnyDesk Service'
+    condition: selection
+falsepositives:
+    - Legitimate usage of the anydesk tool
+level: medium
+tags:
+  - attack.persistence

rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml

@@ -6,24 +6,25 @@ references:
    - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
 author: Florian Roth
 date: 2022/03/16
-modified: 2022/07/07
+modified: 2022/08/12
 logsource:
-   product: windows
-   category: create_remote_thread
+    product: windows
+    category: create_remote_thread
 detection:
-   selection:
-      TargetImage|endswith:
-         - '\mspaint.exe'
-         - '\calc.exe'
-         - '\notepad.exe'
-         - '\sethc.exe'
-         - '\write.exe'
-         - '\wordpad.exe'
-   condition: selection
+    selection:
+        TargetImage|endswith:
+            - '\mspaint.exe'
+            - '\calc.exe'
+            - '\notepad.exe'
+            - '\sethc.exe'
+            - '\write.exe'
+            - '\wordpad.exe'
+            - '\explorer.exe'
+    condition: selection
 falsepositives:
-   - Unknown
+    - Unknown
 level: high
 tags:
-   - attack.defense_evasion
-   - attack.privilege_escalation
-   - attack.t1055.003
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1055.003

rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml

@@ -1,12 +1,12 @@
 title: Accessing WinAPI in PowerShell. Code Injection
 id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
 status: test
-description: Detecting Code injection with PowerShell in another process
+description: Detects the creation of a remote thread from a Powershell process to another process
 author: Nikita Nazarov, oscd.community
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
 date: 2020/10/06
-modified: 2022/07/28
+modified: 2022/08/12
 logsource:
     product: windows
     category: create_remote_thread

rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml

@@ -7,7 +7,7 @@ notes:
     - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
 status: experimental
 date: 2019/10/27
-modified: 2022/07/31
+modified: 2022/08/12
 author: Perez Diego (@darkquassar), oscd.community
 references:
     - Personal research, statistical analysis
@@ -49,8 +49,6 @@ detection:
             - '\outlook.exe'
             - '\ping.exe'
             - '\powerpnt.exe'
-            - '\powershell.exe'
-            - '\pwsh.exe'
             - '\provtool.exe'
             - '\python.exe'
             - '\regsvr32.exe'
@@ -99,6 +97,6 @@ fields:
     - User
     - SourceImage
     - TargetImage
-level: high
 falsepositives:
     - Unknown
+level: high

rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml

@@ -3,7 +3,7 @@ id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
 status: experimental
 description: Detects a Windows executable that writes files to suspicious folders
 references:
-    - No references
+    - Internal Research
 author: Florian Roth
 date: 2021/11/20
 modified: 2022/07/14

rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml

@@ -0,0 +1,40 @@
+title: Windows Binaries Write Suspicious Extensions
+id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
+related:
+    - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
+      type: derived
+status: experimental
+description: Detects windows executables that writes files with suspicious extensions
+references:
+    - Internal Research
+author: Nasreddine Bencherchali
+date: 2022/08/12
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\rundll32.exe'
+            #- '\svchost.exe' # Might generate some FP
+            - '\dllhost.exe'
+            - '\smss.exe'
+            - '\RuntimeBroker.exe'
+            - '\sihost.exe'
+            - '\lsass.exe'
+            - '\csrss.exe'
+            - '\winlogon.exe'
+            - '\wininit.exe'
+        TargetFilename|endswith:
+            - '.bat'
+            - '.vbe'
+            - '.txt'
+            - '.vbs'
+            - '.exe'
+            - '.ps1'
+            - '.hta'
+            - '.iso'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml

@@ -4,34 +4,34 @@ id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
 description: Detects use of Cobalt Strike module commands accidentally entered in the CMD shell
 author: _pete_0, TheDFIRReport
 references:
-  - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
-  - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
-  - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
+    - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
+    - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
+    - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
 date: 2022/05/06
 modified: 2022/05/06
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
-    CommandLine|startswith:
-      - 'cmd.exe'
-      - 'c:\windows\system32\cmd.exe'
-    CommandLine|contains:
-      - Invoke-UserHunter
-      - Invoke-ShareFinder
-      - Invoke-Kerberoast
-      - Invoke-SMBAutoBrute
-      - Invoke-Nightmare
-      - zerologon
-      - av_query
-    Image|endswith: '\cmd.exe'
-  condition: selection
+    selection:
+        Image|endswith: '\cmd.exe'
+        CommandLine|startswith:
+            - 'cmd.exe'
+            - 'c:\windows\system32\cmd.exe'
+        CommandLine|contains:
+            - Invoke-UserHunter
+            - Invoke-ShareFinder
+            - Invoke-Kerberoast
+            - Invoke-SMBAutoBrute
+            - Invoke-Nightmare
+            - zerologon
+            - av_query
+    condition: selection
 fields:
-  - CommandLine
+    - CommandLine
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.execution
-  - attack.t1059.003
+    - attack.execution
+    - attack.t1059.003

rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml

@@ -11,7 +11,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
     - https://twitter.com/frack113/status/1555830623633375232
 date: 2022/08/07
-modified: 2022/08/10
+modified: 2022/08/12
 logsource:
     category: process_creation
     product: windows
@@ -24,7 +24,9 @@ detection:
         - ParentImage:
             - C:\Windows\System32\Dism.exe
             - C:\Windows\System32\cleanmgr.exe
-        - ParentImage|endswith: '\WebEx\WebexHost.exe'
+        - ParentImage|endswith:
+            - '\WebEx\WebexHost.exe'
+            - '\thor\thor64.exe'
     condition: selection and not filter
 falsepositives:
     - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.

rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml

@@ -11,7 +11,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
     - https://twitter.com/frack113/status/1555830623633375232
 date: 2022/08/07
-modified: 2022/08/10
+modified: 2022/08/12
 logsource:
     category: process_creation
     product: windows
@@ -24,7 +24,9 @@ detection:
         - ParentImage:
             - C:\Windows\System32\Dism.exe
             - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long)
-        - ParentImage|endswith: '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes
+        - ParentImage|endswith:
+            - '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes
+            - '\thor\thor64.exe'
     condition: selection and not filter
 falsepositives:
     - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.

rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml

@@ -11,7 +11,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
     - https://twitter.com/jonasLyk/status/1555914501802921984
 date: 2022/08/05
-modified: 2022/08/10
+modified: 2022/08/12
 logsource:
     category: process_creation
     product: windows
@@ -37,7 +37,9 @@ detection:
             - '~2.js'
             - '~2.hta'
     filter:
-        ParentImage|endswith: '\WebEx\WebexHost.exe'
+        ParentImage|endswith:
+            - '\WebEx\WebexHost.exe'
+            - '\thor\thor64.exe'
     condition: selection and not filter
 falsepositives:
     - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.

rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml

@@ -11,7 +11,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
     - https://twitter.com/jonasLyk/status/1555914501802921984
 date: 2022/08/06
-modified: 2022/08/10
+modified: 2022/08/12
 logsource:
     category: process_creation
     product: windows
@@ -37,7 +37,9 @@ detection:
             - '~2.js'
             - '~2.hta'
     filter:
-        ParentImage|endswith: '\WebEx\WebexHost.exe'
+        ParentImage|endswith:
+            - '\WebEx\WebexHost.exe'
+            - '\thor\thor64.exe'
     condition: selection and not filter
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_procdump.yml

@@ -1,11 +1,12 @@
 title: Procdump Usage
 id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
-description: Detects uses of the SysInternals Procdump utility
+description: Detects usage of the SysInternals Procdump utility
 status: experimental
 references:
     - Internal Research
 author: Florian Roth
 date: 2021/08/16
+modified: 2022/08/11
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -14,15 +15,11 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
+    selection:
         Image|endswith:
             - '\procdump.exe'
             - '\procdump64.exe'
-    selection2:
-        CommandLine|contains|all:
-            - ' -ma '
-            - '.exe'
-    condition: selection1 or selection2
+    condition: selection
 falsepositives:
     - Legitimate use of procdump by a developer or administrator
 level: medium

rules/windows/process_creation/proc_creation_win_renamed_procdump.yml

@@ -1,12 +1,15 @@
 title: Renamed ProcDump
 id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
+related:
+    - id: 03795938-1387-481b-9f4c-3f6241e604fe
+      type: obsoletes
 status: test
 description: Detects the execution of a renamed ProcDump executable often used by attackers or malware
 references:
     - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
 author: Florian Roth
 date: 2019/11/18
-modified: 2021/08/16
+modified: 2022/08/12
 tags:
     - attack.defense_evasion
     - attack.t1036.003
@@ -14,22 +17,22 @@ logsource:
     product: windows
     category: process_creation
 detection:
-    selection1:
+    selection_org:
         OriginalFileName: 'procdump'
-    selection2:
-        CommandLine|contains|all:
+    selection_args_ma:
+        CommandLine|contains:
             - ' -ma '
+            - ' /ma '
+    selection_args_other:
+        CommandLine|contains:
             - ' -accepteula '
-    selection3:
-        CommandLine|contains|all:
-            - ' -ma '
-            - '.dmp'
+            - ' /accepteula '
     filter:
         Image|endswith:
             - '\procdump.exe'
             - '\procdump64.exe'
-    condition: ( selection1 or selection2 or selection3 ) and not filter
+    condition: (selection_org or all of selection_args_*) and not filter
 falsepositives:
     - Procdump illegaly bundled with legitimate software
-    - Weird admins who renamed binaries
+    - Weird admins who renamed binaries (and should be investigated)
 level: high

rules/windows/process_creation/proc_creation_win_susp_adfind.yml

@@ -1,33 +0,0 @@
-title: Suspicious AdFind Execution
-id: 75df3b17-8bcc-4565-b89b-c9898acef911
-status: experimental
-description: Detects the execution of a AdFind for Active Directory enumeration
-references:
-    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
-    - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
-    - https://thedfirreport.com/2020/05/08/adfind-recon/
-author: FPT.EagleEye Team, omkar72, oscd.community
-date: 2020/09/26
-modified: 2021/05/12
-tags:
-    - attack.discovery
-    - attack.t1018
-    - attack.t1087.002
-    - attack.t1482
-    - attack.t1069.002
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    selection:
-        CommandLine|contains:
-            - 'objectcategory'
-            - 'trustdmp'
-            - 'dcmodes'
-            - 'dclist'
-            - 'computers_pwdnotreqd'
-        Image|endswith: '\adfind.exe'
-    condition: selection
-falsepositives:
-    - Administrative activity
-level: medium

rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml

@@ -1,19 +1,18 @@
-title: Suspicious AdFind Enumerate
+title: Suspicious AdFind Enumeration
 id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
 status: experimental
-description: Detects the execution of a AdFind for enumeration
+description: Detects the execution of a AdFind for enumeration based on it's commadline flags
 references:
     - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
 author: frack113
 date: 2021/12/13
+modified: 2022/08/12
 logsource:
     product: windows
     category: process_creation
 detection:
-    selection:
-        Image|endswith: '\adfind.exe'
-    test_5: #Listing password policy
+    selection_password: #Listing password policy
         CommandLine|contains:
             - lockoutduration
             - lockoutthreshold
@@ -23,14 +22,14 @@ detection:
             - minpwdlength
             - pwdhistorylength
             - pwdproperties
-    test_6: #Enumerate Active Directory Admins
+    selection_enum_ad: #Enumerate Active Directory Admins
         CommandLine|contains: '-sc admincountdmp'
-    test_8: #Enumerate Active Directory Exchange AD Objects
+    selection_enum_exchange: #Enumerate Active Directory Exchange AD Objects
         CommandLine|contains: '-sc exchaddresses'
-    condition: selection and 1 of test_*
+    condition: 1 of selection_*
 falsepositives:
     - Administrative activity
-level: medium
+level: high
 tags:
     - attack.discovery
     - attack.t1087.002

rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml

@@ -1,24 +1,31 @@
 title: AdFind Usage Detection
 id: 9a132afa-654e-11eb-ae93-0242ac130002
+related:
+    - id: 75df3b17-8bcc-4565-b89b-c9898acef911
+      type: obsoletes
 status: test
 description: AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
-author: Janantha Marasinghe (https://github.com/blueteam0ps)
+author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community
 references:
     - https://thedfirreport.com/2020/05/08/adfind-recon/
     - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
     - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
+    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
+    - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
 date: 2021/02/02
-modified: 2021/02/02
+modified: 2022/08/12
 tags:
     - attack.discovery
-    - attack.t1482
     - attack.t1018
+    - attack.t1087.002
+    - attack.t1482
+    - attack.t1069.002
 logsource:
     category: process_creation
     product: windows
 detection:
     selection:
-        CommandLine|contains:  
+        CommandLine|contains:
             - 'domainlist'
             - 'trustdmp'
             - 'dcmodes'
@@ -37,7 +44,8 @@ detection:
             - 'fspdmp'
             - 'users_noexpire'
             - 'computers_active'
+            - 'computers_pwdnotreqd'
     condition: selection
 falsepositives:
-    - Admin activity
+    - Legitimate admin activity
 level: high

rules/windows/process_creation/proc_creation_win_susp_procdump.yml

@@ -1,26 +0,0 @@
-title: Suspicious Use of Procdump
-id: 03795938-1387-481b-9f4c-3f6241e604fe
-description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma ' and ' -accepteula' in a single step. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
-status: experimental
-references:
-    - Internal Research
-author: Florian Roth
-date: 2021/02/02
-modified: 2021/08/16
-tags:
-    - attack.defense_evasion
-    - attack.t1036
-    - attack.t1003.001
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine|contains|all:
-            - ' -ma '
-            - ' -accepteula '
-    condition: selection
-falsepositives:
-    - Another tool that uses the command line switches of Procdump
-    - Legitimate use of procdump by a developer or administrator
-level: high

rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml

@@ -6,7 +6,7 @@ references:
     - Internal Research
 author: Florian Roth
 date: 2018/10/30
-modified: 2021/02/02
+modified: 2022/08/12
 tags:
     - attack.defense_evasion
     - attack.t1036
@@ -18,14 +18,12 @@ logsource:
     product: windows
 detection:
     selection1:
-        CommandLine|contains: ' -ma '
-    selection2:
-        CommandLine|contains: ' lsass'
-    selection3:
-        CommandLine|contains|all:
+        CommandLine|contains:
             - ' -ma '
-            - ' ls'
-    condition: ( selection1 and selection2 ) or selection3
+            - ' /ma '
+    selection2:
+        CommandLine|contains: ' ls' # Short for lsass
+    condition: all of selection*
 falsepositives:
     - Unlikely, because no one should dump an lsass process memory
     - Another tool that uses the command line switches of Procdump

rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml

@@ -0,0 +1,27 @@
+title: Wab Execution From Non Default Location
+id: 395907ee-96e5-4666-af2e-2ca91688e151
+status: experimental
+description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity
+references:
+    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
+    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
+author: Nasreddine Bencherchali
+date: 2022/08/12
+tags:
+    - attack.defense_evasion
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\wab.exe'
+    filter:
+        Image|startswith:
+            - 'C:\Windows\WinSxS\'
+            - 'C:\Program Files\Windows Mail\'
+            - 'C:\Program Files (x86)\Windows Mail\'
+    condition: selection and not filter
+falsepositives:
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml

@@ -0,0 +1,29 @@
+title: Wab.Exe Unusual Parent Or Child Processes
+id: 63d1ccc0-2a43-4f4b-9289-361b308991ff
+status: experimental
+description: Detects unusual parent or children of the wab.exe (Windows Contacts) process as seen being used with bumblebee activity
+references:
+    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
+    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
+author: Nasreddine Bencherchali
+date: 2022/08/12
+tags:
+    - attack.defense_evasion
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|endswith:
+            # Add more if known
+            - \WmiPrvSE.exe
+            - \svchost.exe
+            - \dllhost.exe
+        Image|endswith: '\wab.exe'
+    selection_child:
+        ParentImage|endswith: '\wab.exe'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high