Merge pull request #3814 from nasbench/nasbench-rule-devel

feat: updates and enhancements

rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml

@@ -3,6 +3,8 @@ id: fc028194-969d-4122-8abe-0470d5b8f12f
 related:
     - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d
       type: obsoletes
+    - id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
+      type: similar
 status: experimental
 description: |
     Adversaries may acquire credentials from web browsers by reading files specific to the target browser.

rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml

@@ -5,9 +5,11 @@ description: Detects browsers starting with the remote debugging flags. Which is
 references:
     - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf
     - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/
+    - https://github.com/defaultnamehere/cookie_crimes/
+    - https://github.com/wunderwuzzi23/firefox-cookiemonster
 author: pH-T, Nasreddine Bencherchali (update)
 date: 2022/07/27
-modified: 2022/10/12
+modified: 2022/12/23
 tags:
     - attack.credential_access
     - attack.t1185
@@ -20,7 +22,7 @@ detection:
         CommandLine|contains: ' --remote-debugging-'
     selection_firefox:
         Image|endswith: '\firefox.exe'
-        CommandLine|contains: ' -start-debugger-server '
+        CommandLine|contains: ' -start-debugger-server'
     condition: 1 of selection_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml

@@ -0,0 +1,28 @@
+title: Potential Data Stealing Via Chromium Headless Debugging
+id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
+status: experimental
+description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
+references:
+    - https://github.com/defaultnamehere/cookie_crimes/
+    - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
+    - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
+    - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
+author: Nasreddine Bencherchali
+date: 2022/12/23
+tags:
+    - attack.credential_access
+    - attack.t1185
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
+            - '--remote-debugging-'
+            - '--user-data-dir'
+            - '--headless'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_copy_browser_data.yml

@@ -0,0 +1,47 @@
+title: Potential Browser Data Stealing
+id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
+related:
+    - id: fc028194-969d-4122-8abe-0470d5b8f12f
+      type: derived
+status: experimental
+description: |
+    Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
+    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
+    Web browsers typically store the credentials in an encrypted format within a credential store.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
+author: Nasreddine Bencherchali
+date: 2022/12/23
+tags:
+    - attack.credential_access
+    - attack.t1555.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cmd:
+        - CommandLine|contains:
+            - 'copy-item'
+            - 'copy'
+            - 'cpi '
+            - ' cp '
+            - 'move'
+            - 'move-item'
+            - ' mi '
+            - ' mv '
+        - Image|endswith:
+            - '\xcopy.exe'
+            - '\robocopy.exe'
+        - OriginalFileName:
+            - 'XCOPY.EXE'
+            - 'robocopy.exe'
+    selection_path:
+        CommandLine|contains:
+            - '\Opera Software\Opera Stable\'
+            - '\Mozilla\Firefox\Profiles'
+            - '\Microsoft\Edge\User Data\'
+            - '\Google\Chrome\User Data\'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium

rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml

@@ -9,7 +9,7 @@ references:
     - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
 author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali'
 date: 2019/12/30
-modified: 2022/11/09
+modified: 2022/12/23
 tags:
     - attack.lateral_movement
     - attack.collection
@@ -22,9 +22,12 @@ logsource:
     product: windows
 detection:
     selection_other_tools:
-        Image|endswith:
+        - Image|endswith:
             - '\robocopy.exe'
             - '\xcopy.exe'
+        - OriginalFileName:
+            - 'robocopy.exe'
+            - 'XCOPY.EXE'
     selection_cmd_img:
         - Image|endswith: '\cmd.exe'
         - OriginalFileName: 'Cmd.Exe'