feat: updates and new rules related to fin7

2023-05-05 01:26:06 +02:00
parent 796fa721fd
commit 24ed6be065
18 changed files with 445 additions and 72 deletions
@@ -1,4 +1,4 @@
-title: Potential Conti Ransomware Database Dumping Activity
+title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd
 id: 2f47f1fd-0901-466e-a770-3b7092834a1b
 status: test
 description: Detects a command used by conti to dump database
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
 author: frack113
 date: 2021/08/16
-modified: 2023/02/13
+modified: 2023/05/04
 tags:
    - attack.collection
    - attack.t1005
@@ -28,7 +28,7 @@ detection:
            - 'sys.sysprocesses'
            - 'master.dbo.sysdatabases'
            - 'BACKUP DATABASE'
-    condition: all of selection*
+    condition: all of selection_*
 falsepositives:
    - Unknown
 level: high
@@ -0,0 +1,13 @@
+# FIN7 Targets Veeam Backup Servers
+
+## Summary
+
+Withsecure labs reported on the 26th of April 2023 on attacks their intelligence teams identified in late March 2023 against internet-facing servers running Veeam Backup & Replication software.
+
+You can find more information on the threat in the following articles:
+
+- [FIN7 tradecraft seen in attacks against Veeam backup servers](https://labs.withsecure.com/publications/fin7-target-veeam-servers)
+
+## Rules
+
+- 
@@ -0,0 +1,21 @@
+title: Potential APT FIN7 Related PowerShell Script Created
+id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128
+status: experimental
+description: Detects powershell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
+references:
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/04
+tags:
+    - attack.execution
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        - TargetFilename|endswith: '_64refl.ps1'
+        - TargetFilename: 'host_ip.ps1'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,26 @@
+title: FIN7 POWERHOLD Execution
+id: 71c432c4-e4da-4eab-ba49-e60ea9a81bca
+status: test
+description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
+references:
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/04
+tags:
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: ps_script
+    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - '$env:APPDATA'
+            - 'function MainPayload'
+            - '::WriteAllBytes'
+            - 'wscript.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,28 @@
+title: Potential POWERTRASH Script Execution
+id: 4e19528a-f081-40dd-be09-90c39352bd64
+status: test
+description: Detects potential execution of the PowerShell script POWERTRASH
+references:
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/04
+tags:
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: ps_script
+    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'IO.Compression.DeflateStream'
+            - 'IO.MemoryStream'
+            - '::FromBase64String'
+            - 'GetDelegateForFunctionPointer'
+            - '.Invoke()'
+            - 'GlobalAssemblyCache'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,28 @@
+title: Potential FIN7 Reconnaissance/POWERTRASH Related Activity
+id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e
+status: experimental
+description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
+references:
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png
+    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/04
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_1:
+        CommandLine|contains|all:
+            - '-noni -nop -exe bypass -f \\\\'
+            - 'ADMIN$'
+    selection_2:
+        CommandLine|contains|all:
+            - '-ex bypass -noprof -nolog -nonint -f'
+            - 'C:\Windows\Temp\'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high
@@ -0,0 +1,27 @@
+title: Suspicious Base64 Encoded User-Agent
+id: d443095b-a221-4957-a2c4-cd1756c9b747
+related:
+    - id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
+      type: derived
+status: experimental
+description: Detects suspicious encoded User-Agent strings, as seen used by some malware.
+references:
+    - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/04
+tags:
+    - attack.command_and_control
+    - attack.t1071.001
+logsource:
+    category: proxy
+detection:
+    selection:
+        c-useragent|startswith:
+            - 'Q2hyb21l' # Chrome Encoded with offset to not include padding
+            - 'QXBwbGVXZWJLaX' # AppleWebKit Encoded with offset to not include padding
+            - 'RGFsdmlr' # Dalvik Encoded with offset to not include padding
+            - 'TW96aWxsY'  # Mozilla Encoded with offset to not include padding (as used by YamaBot)
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -1,12 +1,16 @@
-title: Suspicious Base64 User Agent
+title: Potential Base64 Encoded User-Agent
 id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
+related:
+    - id: d443095b-a221-4957-a2c4-cd1756c9b747
+      type: derived
 status: experimental
-description: Detects suspicious User Agent strings that end with an equal sign, which can be a sign of base64 encoded values used as User Agent string
+description: Detects User Agent strings that end with an equal sign, which can be a sign of if being encoded in base64.
 references:
    - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
-author: Florian Roth (Nextron Systems)
+    - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
+author: Florian Roth (Nextron Systems), Brian Ingram (update)
 date: 2022/07/08
-modified: 2022/11/27
+modified: 2023/05/04
 tags:
    - attack.command_and_control
    - attack.t1071.001
@@ -14,14 +18,8 @@ logsource:
    category: proxy
 detection:
    selection:
-        c-useragent|endswith:
-            - '='
-            - 'TW96aWxsY'  # base64 encoded Mozilla/ as used by YamaBot
+        c-useragent|endswith: '='
    condition: selection
-fields:
-    - ClientIP
-    - c-uri
-    - c-useragent
 falsepositives:
    - Unknown
-level: high
+level: medium
@@ -0,0 +1,27 @@
+title: PowerShell Script With File Hostname Resolving Capabilities
+id: fbc5e92f-3044-4e73-a5c6-1c4359b539de
+status: experimental
+description: Detects powershell scripts that have capabilities to read files, loop through them and resolve dns host entries.
+references:
+    - https://www.fortypoundhead.com/showcontent.asp?artid=24022
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/05
+tags:
+    - attack.exfiltration
+    - attack.t1020
+logsource:
+    product: windows
+    category: ps_script
+    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
+detection:
+    selection:
+        ScriptBlockText|contains:
+            - 'Get-content '
+            - 'foreach'
+            - '[System.Net.Dns]::GetHostEntry'
+            - 'Out-File'
+    condition: selection
+falsepositives:
+    - The same functionality can be implemented by admin scripts, correlate with name and creator
+level: medium
@@ -1,33 +1,31 @@
-title: Windows PowerShell Upload Web Request
+title: PowerShell Script With File Upload Capabilities
 id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
 status: experimental
-description: Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command
+description: Detects powershell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md
    - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2
 author: frack113
 date: 2022/01/07
-modified: 2023/01/02
+modified: 2023/05/04
 tags:
    - attack.exfiltration
    - attack.t1020
 logsource:
    product: windows
    category: ps_script
-    definition: 'Requirements: Script Block Logging must be enabled'
+    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
 detection:
    selection_cmdlet:
        ScriptBlockText|contains:
            - 'Invoke-WebRequest'
            - 'iwr '
    selection_flag:
-        ScriptBlockText|contains: '-Method '
-    selection_verb:
        ScriptBlockText|contains:
-            - ' Put '
-            - ' Post '
+            - '-Method Put'
+            - '-Method Post'
    condition: all of selection_*
 falsepositives:
-    - Legitimate script
-level: medium
+    - Unknown
+level: low
@@ -1,29 +0,0 @@
-title: Powershell Trigger Profiles by Add_Content
-id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
-status: test
-description: Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md
-author: frack113
-date: 2021/08/18
-modified: 2022/12/25
-tags:
-    - attack.privilege_escalation
-    - attack.t1546.013
-logsource:
-    product: windows
-    category: ps_script
-    definition: 'Requirements: Script Block Logging must be enabled'
-detection:
-    selection:
-        ScriptBlockText|contains|all:
-            - 'Add-Content'
-            - '$profile'
-            - '-Value'
-        ScriptBlockText|contains:
-            - 'Start-Process'
-            - '""'  #cleanup action
-    condition: selection
-falsepositives:
-    - Unknown
-level: medium
@@ -0,0 +1,35 @@
+title: Potential Persistence Via PowerShell User Profile Using Add-Content
+id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
+status: test
+description: Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2021/08/18
+modified: 2023/05/04
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1546.013
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection_add:
+        ScriptBlockText|contains: 'Add-Content $profile'
+    selection_options:
+        ScriptBlockText|contains:
+            # Note: You can add more suspicious values
+            - '-Value "IEX '
+            - '-Value "Invoke-Expression'
+            - '-Value "Invoke-WebRequest'
+            - '-Value "Start-Process'
+            - "-Value 'IEX "
+            - "-Value 'Invoke-Expression"
+            - "-Value 'Invoke-WebRequest"
+            - "-Value 'Start-Process"
+    condition: selection
+falsepositives:
+    - Legitimate administration and tuning scripts that aims to add functionality to a user powershell session
+level: medium
@@ -0,0 +1,26 @@
+title: Veeam Backup Servers Credential Dumping Script Execution
+id: 976d6e6f-a04b-4900-9713-0134a353e38b
+status: experimental
+description: Detects execution of a powershell script that contains calls to the "Veeam.Backup" class, in order to dump credential stored.
+references:
+    - https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/04
+tags:
+    - attack.credential_access
+logsource:
+    product: windows
+    category: ps_script
+    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - '[Credentials]'
+            - '[Veeam.Backup.Common.ProtectedStorage]::GetLocalString'
+            - 'Invoke-Sqlcmd'
+            - 'Veeam Backup and Replication'
+    condition: selection
+falsepositives:
+    - Administrators backup scripts (must be investigated)
+level: high
@@ -0,0 +1,80 @@
+title: Suspicious File Download From File Sharing Domain Via Curl.EXE
+id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
+status: experimental
+description: Detects file download using curl.exe
+references:
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/05
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\curl.exe'
+        - OriginalFileName: 'curl.exe'
+    selection_websites:
+        - CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
+        - CommandLine|contains:
+            - 'anonfiles.com'
+            - 'cdn.discordapp.com/attachments/'
+            - 'ddns.net'
+            - 'ghostbin.co/'
+            - 'gist.githubusercontent.com'
+            - 'hastebin.com'
+            - 'mediafire.com'
+            - 'mega.nz'
+            - 'paste.ee'
+            - 'paste.ee'
+            - 'pastebin.com'
+            - 'pastebin.pl'
+            - 'pastetext.net'
+            - 'privatlab.com'
+            - 'privatlab.net'
+            - 'raw.githubusercontent.com'
+            - 'send.exploit.in'
+            - 'sendspace.com'
+            - 'storage.googleapis.com'
+            - 'temp.sh'
+            - 'transfer.sh'
+            - 'ufile.io'
+    selection_http:
+        CommandLine|contains: 'http'
+    selection_flag:
+        CommandLine|contains:
+            - ' -O'  # covers the alias for --remote-name and --output
+            - '--remote-name'
+            - '--output'
+    selection_ext:
+        CommandLine|endswith:
+            - ".ps1"
+            - ".ps1'"
+            - '.ps1"'
+            - ".bat"
+            - ".bat'"
+            - '.bat"'
+            - ".exe"
+            - ".exe'"
+            - '.exe"'
+            - ".vbs"
+            - ".vbs'"
+            - '.vbs"'
+            - ".vbe"
+            - ".vbe'"
+            - '.vbe"'
+            - ".hta"
+            - ".hta'"
+            - '.hta"'
+            - ".dll"
+            - ".dll'"
+            - '.dll"'
+            - ".psm1"
+            - ".psm1'"
+            - '.psm1"'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
@@ -1,13 +1,13 @@
-title: Suspicious Shells Spawn by SQL Server
+title: Suspicious Child Process Of SQL Server
 id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
 related:
    - id: 344482e4-a477-436c-aa70-7536d18a48c7
      type: obsoletes
 status: experimental
-description: Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection
+description: Detects suspicious child processes of SQLServer process. This could indicate potential RCE or SQL Injection.
 author: FPT.EagleEye Team, wagga
 date: 2020/12/11
-modified: 2023/01/21
+modified: 2023/05/04
 tags:
    - attack.t1505.003
    - attack.t1190
@@ -21,17 +21,25 @@ detection:
    selection:
        ParentImage|endswith: '\sqlservr.exe'
        Image|endswith:
-            - '\cmd.exe'
-            - '\sh.exe'
+            # You can add other uncommon or suspicious processes
            - '\bash.exe'
+            - '\bitsadmin.exe'
+            - '\cmd.exe'
+            - '\netstat.exe'
+            - '\nltest.exe'
+            - '\ping.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
-            - '\bitsadmin.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\sh.exe'
            - '\systeminfo.exe'
-    filter_datev:
+            - '\tasklist.exe'
+            - '\wsl.exe'
+    filter_optional_datev:
        ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
        ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
        Image: 'C:\Windows\System32\cmd.exe'
        CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
-    condition: selection and not 1 of filter_*
+    condition: selection and not 1 of filter_optional_*
 level: high
@@ -0,0 +1,52 @@
+title: Suspicious Child Process Of SQL Server
+id: d55b793d-f847-4eea-b59a-5ab09908ac90
+related:
+    - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
+      type: similar
+status: experimental
+description: Detects suspicious child processes of SQLServer process. This could indicate potential RCE or SQL Injection.
+references:
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/04
+tags:
+    - attack.initial_access
+    - attack.persistence
+    - attack.privilege_escalation
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|endswith: '\sqlservr.exe'
+        ParentCommandLine|contains: 'VEEAMSQL'
+    selection_child_1:
+        Image|endswith:
+            - '\cmd.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\wsl.exe'
+            - '\wt.exe'
+        CommandLine|contains:
+            - '-ex '
+            - 'bypass'
+            - 'cscript'
+            - 'DownloadString'
+            - 'http://'
+            - 'https://'
+            - 'mshta'
+            - 'regsvr32'
+            - 'rundll32'
+            - 'wscript'
+            - 'copy '
+    selection_child_2:
+        Image|endswith:
+            - '\net.exe'
+            - '\net1.exe'
+            - '\netstat.exe'
+            - '\nltest.exe'
+            - '\ping.exe'
+            - '\tasklist.exe'
+            - '\whoami.exe'
+    condition: selection_parent and 1 of selection_child_*
+level: critical
@@ -1,12 +1,13 @@
-title: PowerShell Web Download and Execution
+title: PowerShell Download and Execute Cradles
 id: 85b0b087-eddf-4a2b-b033-d771fa2b9775
 status: experimental
-description: Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression
+description: Detects PowerShell download and execute cradles.
 references:
    - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 author: Florian Roth (Nextron Systems)
 date: 2022/03/24
-modified: 2023/01/05
+modified: 2023/05/04
 tags:
    - attack.execution
    - attack.t1059
@@ -22,16 +23,17 @@ detection:
            - 'iwr '
    selection_iex:
        CommandLine|contains:
-            - 'IEX('
-            - 'IEX ('
-            - 'I`EX'
-            - 'IE`X'
-            - 'I`E`X'
+            - ';iex $'
            - '| IEX'
            - '|IEX '
+            - 'I`E`X'
+            - 'I`EX'
+            - 'IE`X'
+            - 'iex '
+            - 'IEX ('
+            - 'IEX('
            - 'Invoke-Expression'
-            - ';iex $'
    condition: all of selection_*
 falsepositives:
-    - Scripts or tools that download files and execute them
+    - Some powershell installers were seen using similar combinations. Apply filters accordingly
 level: high
@@ -0,0 +1,33 @@
+title: Veeam Backup Database Suspicious Query
+id: 696bfb54-227e-4602-ac5b-30d9d2053312
+status: experimental
+description: Detects potential suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
+references:
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/04
+tags:
+    - attack.collection
+    - attack.t1005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_sql:
+        Image|endswith: '\sqlcmd.exe'
+        CommandLine|contains|all:
+            - 'VeeamBackup'
+            - 'From '
+    selection_db:
+        CommandLine|contains:
+            - 'BackupRepositories'
+            - 'Backups'
+            - 'Credentials'
+            - 'HostCreds'
+            - 'SmbFileShares'
+            - 'Ssh_creds'
+            - 'VSphereInfo'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium