diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml index e097791ba..628f4a7fb 100644 --- a/rules/windows/builtin/win_susp_time_modification.yml +++ b/rules/windows/builtin/win_susp_time_modification.yml @@ -7,6 +7,7 @@ references: - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well) - Live environment caused by malware date: 2019/02/05 +midified: 2020/01/27 tags: - attack.defense_evasion - attack.t1099 @@ -27,4 +28,4 @@ detection: condition: selection and not ( filter1 or filter2 or filter3 ) falsepositives: - HyperV or other virtualization technologies with binary not listed in filter portion of detection -level: high +level: medium diff --git a/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml new file mode 100644 index 000000000..24eaed4cf --- /dev/null +++ b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml @@ -0,0 +1,31 @@ +title: ZOHO dctask64 Process Injection +id: 6345b048-8441-43a7-9bed-541133633d7a +status: experimental +description: Detects suspicious process injection using ZOHO's dctask64.exe +references: + - https://twitter.com/gN3mes1s/status/1222088214581825540 + - https://twitter.com/gN3mes1s/status/1222095963789111296 + - https://twitter.com/gN3mes1s/status/1222095371175911424 +author: Florian Roth +date: 2020/01/28 +tags: + - attack.defense_evasion + - attack.t1055 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\dctask64.exe' + filter: + CommandLine|contains: + - 'DesktopCentral_Agent\agent' + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine + - ParentImage +falsepositives: + - Unknown yet +level: high diff --git a/rules/windows/process_creation/win_susp_renamed_dctask64.yml b/rules/windows/process_creation/win_susp_renamed_dctask64.yml new file mode 100644 index 000000000..ff5b95735 --- /dev/null +++ b/rules/windows/process_creation/win_susp_renamed_dctask64.yml @@ -0,0 +1,29 @@ +title: Renamed ZOHO dctask64 +id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b +status: experimental +description: Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation +references: + - https://twitter.com/gN3mes1s/status/1222088214581825540 + - https://twitter.com/gN3mes1s/status/1222095963789111296 + - https://twitter.com/gN3mes1s/status/1222095371175911424 +author: Florian Roth +date: 2020/01/28 +tags: + - attack.defense_evasion + - attack.t1055 +logsource: + category: process_creation + product: windows +detection: + selection: + Imphash: '6834B1B94E49701D77CCB3C0895E1AFD' + filter: + Image|endswith: '\dctask64.exe' + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine + - ParentImage +falsepositives: + - Unknown yet +level: high diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/sysmon/sysmon_ads_executable.yml index 2231ee99b..7e111015c 100644 --- a/rules/windows/sysmon/sysmon_ads_executable.yml +++ b/rules/windows/sysmon/sysmon_ads_executable.yml @@ -18,7 +18,9 @@ detection: selection: EventID: 15 filter: - Imphash: '00000000000000000000000000000000' + Imphash: + - '00000000000000000000000000000000' + - null condition: selection and not filter fields: - TargetFilename diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml index aab980bc4..1e99dc4fd 100644 --- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml @@ -24,7 +24,9 @@ detection: exec_exclusion1: Image: '*\explorer.exe' exec_exclusion2: - CommandLine: '*\netlogon.bat' + CommandLine: + - '*\netlogon.bat' + - '*\UsrLogon.cmd' condition: exec_selection and not exec_exclusion1 and not exec_exclusion2 --- logsource: