From 240b764660bb2504270b5ef0bfa1a8666f916a78 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 27 Jan 2020 14:30:09 +0100
Subject: [PATCH 1/3] rule: reduced level of system time mod rule

---
 rules/windows/builtin/win_susp_time_modification.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml
index e097791ba..628f4a7fb 100644
--- a/rules/windows/builtin/win_susp_time_modification.yml
+++ b/rules/windows/builtin/win_susp_time_modification.yml
@@ -7,6 +7,7 @@ references:
     - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
     - Live environment caused by malware
 date: 2019/02/05
+midified: 2020/01/27
 tags:
     - attack.defense_evasion
     - attack.t1099
@@ -27,4 +28,4 @@ detection:
     condition: selection and not ( filter1 or filter2 or filter3 )
 falsepositives:
     - HyperV or other virtualization technologies with binary not listed in filter portion of detection
-level: high
+level: medium

From d48fc9d1ff452c44d3bc000da70946138dc6739c Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Tue, 28 Jan 2020 10:11:09 +0100
Subject: [PATCH 2/3] fix: multiple false positive conditions

---
 rules/windows/sysmon/sysmon_ads_executable.yml                | 4 +++-
 .../sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml    | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/sysmon/sysmon_ads_executable.yml
index 2231ee99b..7e111015c 100644
--- a/rules/windows/sysmon/sysmon_ads_executable.yml
+++ b/rules/windows/sysmon/sysmon_ads_executable.yml
@@ -18,7 +18,9 @@ detection:
     selection:
         EventID: 15
     filter:
-        Imphash: '00000000000000000000000000000000'
+        Imphash: 
+            - '00000000000000000000000000000000'
+            - null
     condition: selection and not filter
 fields:
     - TargetFilename
diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
index aab980bc4..1e99dc4fd 100644
--- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
+++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
@@ -24,7 +24,9 @@ detection:
     exec_exclusion1:
         Image: '*\explorer.exe'
     exec_exclusion2:
-        CommandLine: '*\netlogon.bat'
+        CommandLine: 
+            - '*\netlogon.bat'
+            - '*\UsrLogon.cmd'
     condition: exec_selection and not exec_exclusion1 and not exec_exclusion2
 ---
 logsource:

From 7786edac29e538ce4cd6482eded63fe25a0b3c95 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Tue, 28 Jan 2020 11:29:24 +0100
Subject: [PATCH 3/3] rule: dctask64.exe evasion techniques
 https://twitter.com/gN3mes1s/status/1222088214581825540

---
 .../win_susp_dctask64_proc_inject.yml         | 31 +++++++++++++++++++
 .../win_susp_renamed_dctask64.yml             | 29 +++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_dctask64_proc_inject.yml
 create mode 100644 rules/windows/process_creation/win_susp_renamed_dctask64.yml

diff --git a/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml
new file mode 100644
index 000000000..24eaed4cf
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_dctask64_proc_inject.yml
@@ -0,0 +1,31 @@
+title: ZOHO dctask64 Process Injection
+id: 6345b048-8441-43a7-9bed-541133633d7a
+status: experimental
+description: Detects suspicious process injection using ZOHO's dctask64.exe 
+references:
+    - https://twitter.com/gN3mes1s/status/1222088214581825540
+    - https://twitter.com/gN3mes1s/status/1222095963789111296
+    - https://twitter.com/gN3mes1s/status/1222095371175911424
+author: Florian Roth
+date: 2020/01/28
+tags:
+    - attack.defense_evasion
+    - attack.t1055
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\dctask64.exe'
+    filter:
+        CommandLine|contains:
+            - 'DesktopCentral_Agent\agent'
+    condition: selection and not filter
+fields:
+    - CommandLine
+    - ParentCommandLine
+    - ParentImage
+falsepositives:
+    - Unknown yet
+level: high
diff --git a/rules/windows/process_creation/win_susp_renamed_dctask64.yml b/rules/windows/process_creation/win_susp_renamed_dctask64.yml
new file mode 100644
index 000000000..ff5b95735
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_renamed_dctask64.yml
@@ -0,0 +1,29 @@
+title: Renamed ZOHO dctask64
+id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
+status: experimental
+description: Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation
+references:
+    - https://twitter.com/gN3mes1s/status/1222088214581825540
+    - https://twitter.com/gN3mes1s/status/1222095963789111296
+    - https://twitter.com/gN3mes1s/status/1222095371175911424
+author: Florian Roth
+date: 2020/01/28
+tags:
+    - attack.defense_evasion
+    - attack.t1055
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Imphash: '6834B1B94E49701D77CCB3C0895E1AFD'
+    filter:
+        Image|endswith: '\dctask64.exe'
+    condition: selection and not filter
+fields:
+    - CommandLine
+    - ParentCommandLine
+    - ParentImage
+falsepositives:
+    - Unknown yet
+level: high