From 86a849728d96bb2278cf132d56ade3b243314fd5 Mon Sep 17 00:00:00 2001
From: omkar72 <omkargudhate72@gmail.com>
Date: Fri, 30 Oct 2020 13:15:11 +0530
Subject: [PATCH 1/3] ryuk changes

---
 .../process_creation/win_susp_psexec_eula.yml | 26 +++++++++++++++++++
 .../win_susp_recon_activity.yml               |  8 ++++--
 .../process_creation/win_trust_discovery.yml  | 11 +++++---
 .../registry_event/sysmon_runkey_winekey.yml  | 26 +++++++++++++++++++
 4 files changed, 66 insertions(+), 5 deletions(-)
 create mode 100644 rules/windows/process_creation/win_susp_psexec_eula.yml
 create mode 100644 rules/windows/registry_event/sysmon_runkey_winekey.yml

diff --git a/rules/windows/process_creation/win_susp_psexec_eula.yml b/rules/windows/process_creation/win_susp_psexec_eula.yml
new file mode 100644
index 000000000..4955ed48f
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_psexec_eula.yml
@@ -0,0 +1,26 @@
+title: Psexec Accepteula Condition
+id: 730fc21b-eaff-474b-ad23-90fd265d4988
+description: Detect accept agreement execution in psexec commandline
+status: experimental
+author: omkar72
+    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+date: 2020/10/30
+tags:
+    - attack.execution
+    - attack.t1569
+    - attack.1021
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\psexec.exe'
+        CommandLine|contains: 'accepteula'
+    condition: selection
+fields:
+    - ComputerName
+    - User
+    - CommandLine
+falsepositives:
+    - Administrative scripts.
+level: medium
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_recon_activity.yml b/rules/windows/process_creation/win_susp_recon_activity.yml
index 74d50f3d5..f6e102e19 100644
--- a/rules/windows/process_creation/win_susp_recon_activity.yml
+++ b/rules/windows/process_creation/win_susp_recon_activity.yml
@@ -2,9 +2,12 @@ title: Suspicious Reconnaissance Activity
 id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
 status: experimental
 description: Detects suspicious command line activity on Windows systems
-author: Florian Roth
+author: Florian Roth, omkar72
 date: 2019/01/16
-modified: 2020/08/28
+modified: 2020/10/30
+references:
+    - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
+    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
 tags:
     - attack.discovery
     - attack.t1087.001
@@ -18,6 +21,7 @@ detection:
         CommandLine:
             - net group "domain admins" /domain
             - net localgroup administrators
+            - net group "enterprise admins" /domain
     condition: selection
 fields:
     - CommandLine
diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml
index 1a0111d00..188ea07bd 100644
--- a/rules/windows/process_creation/win_trust_discovery.yml
+++ b/rules/windows/process_creation/win_trust_discovery.yml
@@ -2,12 +2,14 @@ title: Domain Trust Discovery
 id: 3bad990e-4848-4a78-9530-b427d854aac0
 description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.
 status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72
 date: 2019/10/24
-modified: 2019/11/11
+modified: 2020/10/30
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
     - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
+    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
+    - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
 tags:
     - attack.discovery
     - attack.t1482
@@ -17,7 +19,10 @@ logsource:
 detection:
     selection:
       - Image|endswith: '\nltest.exe'
-        CommandLine|contains: 'domain_trusts'
+        CommandLine|contains: 
+            - 'domain_trusts'
+            - 'all_trusts'
+            - '/dclist'
       - Image|endswith: '\dsquery.exe'
         CommandLine|contains: 'trustedDomain'
     condition: selection
diff --git a/rules/windows/registry_event/sysmon_runkey_winekey.yml b/rules/windows/registry_event/sysmon_runkey_winekey.yml
new file mode 100644
index 000000000..636015fce
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_runkey_winekey.yml
@@ -0,0 +1,26 @@
+title: WINEKEY Registry Modification 
+id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5
+description: Detects potential malicious modification of run keys by winekey or team9 backdoor
+date: 2020/10/30
+author: omkar72
+references:
+    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+tags:
+    - attack.persistence
+    - attack.t1547
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection:
+        TargetObject|endswith:
+            - 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
+    condition: selection
+fields:
+    - ComputerName
+    - Image
+    - EventType
+    - TargetObject
+falsepositives:
+    - Unknown
+level: high

From f1bb9726ca2c8012f148be8274b13f28237b1950 Mon Sep 17 00:00:00 2001
From: omkargudhate22 <36105402+omkar72@users.noreply.github.com>
Date: Fri, 30 Oct 2020 13:35:40 +0530
Subject: [PATCH 2/3] updated mitre tag

---
 rules/windows/process_creation/win_susp_psexec_eula.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_psexec_eula.yml b/rules/windows/process_creation/win_susp_psexec_eula.yml
index 4955ed48f..0bcc3e919 100644
--- a/rules/windows/process_creation/win_susp_psexec_eula.yml
+++ b/rules/windows/process_creation/win_susp_psexec_eula.yml
@@ -8,7 +8,7 @@ date: 2020/10/30
 tags:
     - attack.execution
     - attack.t1569
-    - attack.1021
+    - attack.t1021
 logsource:
     category: process_creation
     product: windows
@@ -23,4 +23,4 @@ fields:
     - CommandLine
 falsepositives:
     - Administrative scripts.
-level: medium
\ No newline at end of file
+level: medium

From 8e801ede320e15261ba699c95545fb8abb2138dd Mon Sep 17 00:00:00 2001
From: OG <36105402+omkar72@users.noreply.github.com>
Date: Sun, 29 Nov 2020 17:45:29 +0530
Subject: [PATCH 3/3] Update win_susp_psexec_eula.yml

---
 rules/windows/process_creation/win_susp_psexec_eula.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_psexec_eula.yml b/rules/windows/process_creation/win_susp_psexec_eula.yml
index 0bcc3e919..40688d99f 100644
--- a/rules/windows/process_creation/win_susp_psexec_eula.yml
+++ b/rules/windows/process_creation/win_susp_psexec_eula.yml
@@ -1,6 +1,6 @@
 title: Psexec Accepteula Condition
 id: 730fc21b-eaff-474b-ad23-90fd265d4988
-description: Detect accept agreement execution in psexec commandline
+description: Detect ed user accept agreement execution in psexec commandline
 status: experimental
 author: omkar72
     - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html