Merge pull request #601 from Neo23x0/devel

Devel

rules/windows/builtin/win_susp_time_modification.yml

@@ -7,6 +7,7 @@ references:
     - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
     - Live environment caused by malware
 date: 2019/02/05
+midified: 2020/01/27
 tags:
     - attack.defense_evasion
     - attack.t1099
@@ -27,4 +28,4 @@ detection:
     condition: selection and not ( filter1 or filter2 or filter3 )
 falsepositives:
     - HyperV or other virtualization technologies with binary not listed in filter portion of detection
-level: high
+level: medium

rules/windows/process_creation/win_susp_dctask64_proc_inject.yml

@@ -0,0 +1,31 @@
+title: ZOHO dctask64 Process Injection
+id: 6345b048-8441-43a7-9bed-541133633d7a
+status: experimental
+description: Detects suspicious process injection using ZOHO's dctask64.exe 
+references:
+    - https://twitter.com/gN3mes1s/status/1222088214581825540
+    - https://twitter.com/gN3mes1s/status/1222095963789111296
+    - https://twitter.com/gN3mes1s/status/1222095371175911424
+author: Florian Roth
+date: 2020/01/28
+tags:
+    - attack.defense_evasion
+    - attack.t1055
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\dctask64.exe'
+    filter:
+        CommandLine|contains:
+            - 'DesktopCentral_Agent\agent'
+    condition: selection and not filter
+fields:
+    - CommandLine
+    - ParentCommandLine
+    - ParentImage
+falsepositives:
+    - Unknown yet
+level: high

rules/windows/process_creation/win_susp_renamed_dctask64.yml

@@ -0,0 +1,29 @@
+title: Renamed ZOHO dctask64
+id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
+status: experimental
+description: Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation
+references:
+    - https://twitter.com/gN3mes1s/status/1222088214581825540
+    - https://twitter.com/gN3mes1s/status/1222095963789111296
+    - https://twitter.com/gN3mes1s/status/1222095371175911424
+author: Florian Roth
+date: 2020/01/28
+tags:
+    - attack.defense_evasion
+    - attack.t1055
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Imphash: '6834B1B94E49701D77CCB3C0895E1AFD'
+    filter:
+        Image|endswith: '\dctask64.exe'
+    condition: selection and not filter
+fields:
+    - CommandLine
+    - ParentCommandLine
+    - ParentImage
+falsepositives:
+    - Unknown yet
+level: high

rules/windows/sysmon/sysmon_ads_executable.yml

@@ -18,7 +18,9 @@ detection:
     selection:
         EventID: 15
     filter:
-        Imphash: '00000000000000000000000000000000'
+        Imphash: 
+            - '00000000000000000000000000000000'
+            - null
     condition: selection and not filter
 fields:
     - TargetFilename

rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml

@@ -24,7 +24,9 @@ detection:
     exec_exclusion1:
         Image: '*\explorer.exe'
     exec_exclusion2:
-        CommandLine: '*\netlogon.bat'
+        CommandLine: 
+            - '*\netlogon.bat'
+            - '*\UsrLogon.cmd'
     condition: exec_selection and not exec_exclusion1 and not exec_exclusion2
 ---
 logsource: