From 24ed6be065fa650c3f6dcfdda5a47f5e2f0d2ef0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 5 May 2023 01:26:06 +0200 Subject: [PATCH] feat: updates and new rules related to fin7 --- ...malware_conti_ransomware_database_dump.yml | 6 +- rules-emerging-threats/2023/TA/FIN7/README.md | 13 +++ ...7_powershell_scripts_naming_convention.yml | 21 +++++ .../TA/FIN7/posh_ps_apt_fin7_powerhold.yml | 26 ++++++ .../posh_ps_apt_fin7_powertrash_execution.yml | 28 +++++++ ...n_apt_fin7_powertrash_lateral_movement.yml | 28 +++++++ .../proxy_generic/proxy_ua_base64_encoded.yml | 27 +++++++ .../proxy_generic/proxy_ua_susp_base64.yml | 22 +++-- .../posh_ps_resolve_list_of_ip_from_file.yml | 27 +++++++ ...sh_ps_script_with_upload_capabilities.yml} | 18 ++--- .../posh_ps_trigger_profiles.yml | 29 ------- .../posh_ps_user_profile_tampering.yml | 35 ++++++++ ...osh_ps_veeam_credential_dumping_script.yml | 26 ++++++ ...url_download_susp_file_sharing_domains.yml | 80 +++++++++++++++++++ ..._creation_win_mssql_susp_child_process.yml | 24 ++++-- ...n_win_mssql_veaam_susp_child_processes.yml | 52 ++++++++++++ ...c_creation_win_powershell_download_iex.yml | 22 ++--- ...roc_creation_win_sqlcmd_veeam_db_recon.yml | 33 ++++++++ 18 files changed, 445 insertions(+), 72 deletions(-) create mode 100644 rules-emerging-threats/2023/TA/FIN7/README.md create mode 100644 rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml create mode 100644 rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml create mode 100644 rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml create mode 100644 rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml create mode 100644 rules/web/proxy_generic/proxy_ua_base64_encoded.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml rename rules/windows/powershell/powershell_script/{posh_ps_upload.yml => posh_ps_script_with_upload_capabilities.yml} (64%) delete mode 100644 rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml create mode 100644 rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml create mode 100644 rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml create mode 100644 rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml diff --git a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml index ef80f315d..0659274b6 100644 --- a/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml +++ b/rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml @@ -1,4 +1,4 @@ -title: Potential Conti Ransomware Database Dumping Activity +title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd id: 2f47f1fd-0901-466e-a770-3b7092834a1b status: test description: Detects a command used by conti to dump database @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15 author: frack113 date: 2021/08/16 -modified: 2023/02/13 +modified: 2023/05/04 tags: - attack.collection - attack.t1005 @@ -28,7 +28,7 @@ detection: - 'sys.sysprocesses' - 'master.dbo.sysdatabases' - 'BACKUP DATABASE' - condition: all of selection* + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules-emerging-threats/2023/TA/FIN7/README.md b/rules-emerging-threats/2023/TA/FIN7/README.md new file mode 100644 index 000000000..8b3182f83 --- /dev/null +++ b/rules-emerging-threats/2023/TA/FIN7/README.md @@ -0,0 +1,13 @@ +# FIN7 Targets Veeam Backup Servers + +## Summary + +Withsecure labs reported on the 26th of April 2023 on attacks their intelligence teams identified in late March 2023 against internet-facing servers running Veeam Backup & Replication software. + +You can find more information on the threat in the following articles: + +- [FIN7 tradecraft seen in attacks against Veeam backup servers](https://labs.withsecure.com/publications/fin7-target-veeam-servers) + +## Rules + +- \ No newline at end of file diff --git a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml new file mode 100644 index 000000000..b55a3a903 --- /dev/null +++ b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml @@ -0,0 +1,21 @@ +title: Potential APT FIN7 Related PowerShell Script Created +id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128 +status: experimental +description: Detects powershell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.execution +logsource: + category: file_event + product: windows +detection: + selection: + - TargetFilename|endswith: '_64refl.ps1' + - TargetFilename: 'host_ip.ps1' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml new file mode 100644 index 000000000..4d5c08ea0 --- /dev/null +++ b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml @@ -0,0 +1,26 @@ +title: FIN7 POWERHOLD Execution +id: 71c432c4-e4da-4eab-ba49-e60ea9a81bca +status: test +description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: ps_script + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 +detection: + selection: + ScriptBlockText|contains|all: + - '$env:APPDATA' + - 'function MainPayload' + - '::WriteAllBytes' + - 'wscript.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml new file mode 100644 index 000000000..fd128fa57 --- /dev/null +++ b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml @@ -0,0 +1,28 @@ +title: Potential POWERTRASH Script Execution +id: 4e19528a-f081-40dd-be09-90c39352bd64 +status: test +description: Detects potential execution of the PowerShell script POWERTRASH +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: ps_script + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 +detection: + selection: + ScriptBlockText|contains|all: + - 'IO.Compression.DeflateStream' + - 'IO.MemoryStream' + - '::FromBase64String' + - 'GetDelegateForFunctionPointer' + - '.Invoke()' + - 'GlobalAssemblyCache' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml new file mode 100644 index 000000000..49084403e --- /dev/null +++ b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml @@ -0,0 +1,28 @@ +title: Potential FIN7 Reconnaissance/POWERTRASH Related Activity +id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e +status: experimental +description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers + - https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png + - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_1: + CommandLine|contains|all: + - '-noni -nop -exe bypass -f \\\\' + - 'ADMIN$' + selection_2: + CommandLine|contains|all: + - '-ex bypass -noprof -nolog -nonint -f' + - 'C:\Windows\Temp\' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/web/proxy_generic/proxy_ua_base64_encoded.yml b/rules/web/proxy_generic/proxy_ua_base64_encoded.yml new file mode 100644 index 000000000..7d90a5ccd --- /dev/null +++ b/rules/web/proxy_generic/proxy_ua_base64_encoded.yml @@ -0,0 +1,27 @@ +title: Suspicious Base64 Encoded User-Agent +id: d443095b-a221-4957-a2c4-cd1756c9b747 +related: + - id: 894a8613-cf12-48b3-8e57-9085f54aa0c3 + type: derived +status: experimental +description: Detects suspicious encoded User-Agent strings, as seen used by some malware. +references: + - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.command_and_control + - attack.t1071.001 +logsource: + category: proxy +detection: + selection: + c-useragent|startswith: + - 'Q2hyb21l' # Chrome Encoded with offset to not include padding + - 'QXBwbGVXZWJLaX' # AppleWebKit Encoded with offset to not include padding + - 'RGFsdmlr' # Dalvik Encoded with offset to not include padding + - 'TW96aWxsY' # Mozilla Encoded with offset to not include padding (as used by YamaBot) + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/web/proxy_generic/proxy_ua_susp_base64.yml b/rules/web/proxy_generic/proxy_ua_susp_base64.yml index 5658bc112..7fffddb75 100644 --- a/rules/web/proxy_generic/proxy_ua_susp_base64.yml +++ b/rules/web/proxy_generic/proxy_ua_susp_base64.yml @@ -1,12 +1,16 @@ -title: Suspicious Base64 User Agent +title: Potential Base64 Encoded User-Agent id: 894a8613-cf12-48b3-8e57-9085f54aa0c3 +related: + - id: d443095b-a221-4957-a2c4-cd1756c9b747 + type: derived status: experimental -description: Detects suspicious User Agent strings that end with an equal sign, which can be a sign of base64 encoded values used as User Agent string +description: Detects User Agent strings that end with an equal sign, which can be a sign of if being encoded in base64. references: - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html -author: Florian Roth (Nextron Systems) + - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop +author: Florian Roth (Nextron Systems), Brian Ingram (update) date: 2022/07/08 -modified: 2022/11/27 +modified: 2023/05/04 tags: - attack.command_and_control - attack.t1071.001 @@ -14,14 +18,8 @@ logsource: category: proxy detection: selection: - c-useragent|endswith: - - '=' - - 'TW96aWxsY' # base64 encoded Mozilla/ as used by YamaBot + c-useragent|endswith: '=' condition: selection -fields: - - ClientIP - - c-uri - - c-useragent falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml new file mode 100644 index 000000000..8bc141375 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml @@ -0,0 +1,27 @@ +title: PowerShell Script With File Hostname Resolving Capabilities +id: fbc5e92f-3044-4e73-a5c6-1c4359b539de +status: experimental +description: Detects powershell scripts that have capabilities to read files, loop through them and resolve dns host entries. +references: + - https://www.fortypoundhead.com/showcontent.asp?artid=24022 + - https://labs.withsecure.com/publications/fin7-target-veeam-servers +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/05 +tags: + - attack.exfiltration + - attack.t1020 +logsource: + product: windows + category: ps_script + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 +detection: + selection: + ScriptBlockText|contains: + - 'Get-content ' + - 'foreach' + - '[System.Net.Dns]::GetHostEntry' + - 'Out-File' + condition: selection +falsepositives: + - The same functionality can be implemented by admin scripts, correlate with name and creator +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_upload.yml b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml similarity index 64% rename from rules/windows/powershell/powershell_script/posh_ps_upload.yml rename to rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml index 4d7e2283e..9b9e0ff2c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_upload.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml @@ -1,33 +1,31 @@ -title: Windows PowerShell Upload Web Request +title: PowerShell Script With File Upload Capabilities id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb status: experimental -description: Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command +description: Detects powershell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2 author: frack113 date: 2022/01/07 -modified: 2023/01/02 +modified: 2023/05/04 tags: - attack.exfiltration - attack.t1020 logsource: product: windows category: ps_script - definition: 'Requirements: Script Block Logging must be enabled' + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 detection: selection_cmdlet: ScriptBlockText|contains: - 'Invoke-WebRequest' - 'iwr ' selection_flag: - ScriptBlockText|contains: '-Method ' - selection_verb: ScriptBlockText|contains: - - ' Put ' - - ' Post ' + - '-Method Put' + - '-Method Post' condition: all of selection_* falsepositives: - - Legitimate script -level: medium + - Unknown +level: low diff --git a/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml b/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml deleted file mode 100644 index f8e3495de..000000000 --- a/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Powershell Trigger Profiles by Add_Content -id: 05b3e303-faf0-4f4a-9b30-46cc13e69152 -status: test -description: Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md -author: frack113 -date: 2021/08/18 -modified: 2022/12/25 -tags: - - attack.privilege_escalation - - attack.t1546.013 -logsource: - product: windows - category: ps_script - definition: 'Requirements: Script Block Logging must be enabled' -detection: - selection: - ScriptBlockText|contains|all: - - 'Add-Content' - - '$profile' - - '-Value' - ScriptBlockText|contains: - - 'Start-Process' - - '""' #cleanup action - condition: selection -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml b/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml new file mode 100644 index 000000000..4d2cc3665 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml @@ -0,0 +1,35 @@ +title: Potential Persistence Via PowerShell User Profile Using Add-Content +id: 05b3e303-faf0-4f4a-9b30-46cc13e69152 +status: test +description: Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2021/08/18 +modified: 2023/05/04 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.013 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection_add: + ScriptBlockText|contains: 'Add-Content $profile' + selection_options: + ScriptBlockText|contains: + # Note: You can add more suspicious values + - '-Value "IEX ' + - '-Value "Invoke-Expression' + - '-Value "Invoke-WebRequest' + - '-Value "Start-Process' + - "-Value 'IEX " + - "-Value 'Invoke-Expression" + - "-Value 'Invoke-WebRequest" + - "-Value 'Start-Process" + condition: selection +falsepositives: + - Legitimate administration and tuning scripts that aims to add functionality to a user powershell session +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml new file mode 100644 index 000000000..c7b97a84f --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml @@ -0,0 +1,26 @@ +title: Veeam Backup Servers Credential Dumping Script Execution +id: 976d6e6f-a04b-4900-9713-0134a353e38b +status: experimental +description: Detects execution of a powershell script that contains calls to the "Veeam.Backup" class, in order to dump credential stored. +references: + - https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/ + - https://labs.withsecure.com/publications/fin7-target-veeam-servers +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.credential_access +logsource: + product: windows + category: ps_script + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 +detection: + selection: + ScriptBlockText|contains|all: + - '[Credentials]' + - '[Veeam.Backup.Common.ProtectedStorage]::GetLocalString' + - 'Invoke-Sqlcmd' + - 'Veeam Backup and Replication' + condition: selection +falsepositives: + - Administrators backup scripts (must be investigated) +level: high diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml new file mode 100644 index 000000000..a1118c1e3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -0,0 +1,80 @@ +title: Suspicious File Download From File Sharing Domain Via Curl.EXE +id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb +status: experimental +description: Detects file download using curl.exe +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers + - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/05 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\curl.exe' + - OriginalFileName: 'curl.exe' + selection_websites: + - CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' + - CommandLine|contains: + - 'anonfiles.com' + - 'cdn.discordapp.com/attachments/' + - 'ddns.net' + - 'ghostbin.co/' + - 'gist.githubusercontent.com' + - 'hastebin.com' + - 'mediafire.com' + - 'mega.nz' + - 'paste.ee' + - 'paste.ee' + - 'pastebin.com' + - 'pastebin.pl' + - 'pastetext.net' + - 'privatlab.com' + - 'privatlab.net' + - 'raw.githubusercontent.com' + - 'send.exploit.in' + - 'sendspace.com' + - 'storage.googleapis.com' + - 'temp.sh' + - 'transfer.sh' + - 'ufile.io' + selection_http: + CommandLine|contains: 'http' + selection_flag: + CommandLine|contains: + - ' -O' # covers the alias for --remote-name and --output + - '--remote-name' + - '--output' + selection_ext: + CommandLine|endswith: + - ".ps1" + - ".ps1'" + - '.ps1"' + - ".bat" + - ".bat'" + - '.bat"' + - ".exe" + - ".exe'" + - '.exe"' + - ".vbs" + - ".vbs'" + - '.vbs"' + - ".vbe" + - ".vbe'" + - '.vbe"' + - ".hta" + - ".hta'" + - '.hta"' + - ".dll" + - ".dll'" + - '.dll"' + - ".psm1" + - ".psm1'" + - '.psm1"' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml index 9477dadfe..8a35cf7bc 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml @@ -1,13 +1,13 @@ -title: Suspicious Shells Spawn by SQL Server +title: Suspicious Child Process Of SQL Server id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 related: - id: 344482e4-a477-436c-aa70-7536d18a48c7 type: obsoletes status: experimental -description: Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection +description: Detects suspicious child processes of SQLServer process. This could indicate potential RCE or SQL Injection. author: FPT.EagleEye Team, wagga date: 2020/12/11 -modified: 2023/01/21 +modified: 2023/05/04 tags: - attack.t1505.003 - attack.t1190 @@ -21,17 +21,25 @@ detection: selection: ParentImage|endswith: '\sqlservr.exe' Image|endswith: - - '\cmd.exe' - - '\sh.exe' + # You can add other uncommon or suspicious processes - '\bash.exe' + - '\bitsadmin.exe' + - '\cmd.exe' + - '\netstat.exe' + - '\nltest.exe' + - '\ping.exe' - '\powershell.exe' - '\pwsh.exe' - - '\bitsadmin.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\sh.exe' - '\systeminfo.exe' - filter_datev: + - '\tasklist.exe' + - '\wsl.exe' + filter_optional_datev: ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\' ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe' Image: 'C:\Windows\System32\cmd.exe' CommandLine|startswith: '"C:\Windows\system32\cmd.exe" ' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_optional_* level: high diff --git a/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml new file mode 100644 index 000000000..a40738199 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml @@ -0,0 +1,52 @@ +title: Suspicious Child Process Of SQL Server +id: d55b793d-f847-4eea-b59a-5ab09908ac90 +related: + - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 + type: similar +status: experimental +description: Detects suspicious child processes of SQLServer process. This could indicate potential RCE or SQL Injection. +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.initial_access + - attack.persistence + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: '\sqlservr.exe' + ParentCommandLine|contains: 'VEEAMSQL' + selection_child_1: + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\wsl.exe' + - '\wt.exe' + CommandLine|contains: + - '-ex ' + - 'bypass' + - 'cscript' + - 'DownloadString' + - 'http://' + - 'https://' + - 'mshta' + - 'regsvr32' + - 'rundll32' + - 'wscript' + - 'copy ' + selection_child_2: + Image|endswith: + - '\net.exe' + - '\net1.exe' + - '\netstat.exe' + - '\nltest.exe' + - '\ping.exe' + - '\tasklist.exe' + - '\whoami.exe' + condition: selection_parent and 1 of selection_child_* +level: critical diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml index 1ad9bade3..e48e40818 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml @@ -1,12 +1,13 @@ -title: PowerShell Web Download and Execution +title: PowerShell Download and Execute Cradles id: 85b0b087-eddf-4a2b-b033-d771fa2b9775 status: experimental -description: Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression +description: Detects PowerShell download and execute cradles. references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd + - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Florian Roth (Nextron Systems) date: 2022/03/24 -modified: 2023/01/05 +modified: 2023/05/04 tags: - attack.execution - attack.t1059 @@ -22,16 +23,17 @@ detection: - 'iwr ' selection_iex: CommandLine|contains: - - 'IEX(' - - 'IEX (' - - 'I`EX' - - 'IE`X' - - 'I`E`X' + - ';iex $' - '| IEX' - '|IEX ' + - 'I`E`X' + - 'I`EX' + - 'IE`X' + - 'iex ' + - 'IEX (' + - 'IEX(' - 'Invoke-Expression' - - ';iex $' condition: all of selection_* falsepositives: - - Scripts or tools that download files and execute them + - Some powershell installers were seen using similar combinations. Apply filters accordingly level: high diff --git a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml new file mode 100644 index 000000000..978c43c4e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml @@ -0,0 +1,33 @@ +title: Veeam Backup Database Suspicious Query +id: 696bfb54-227e-4602-ac5b-30d9d2053312 +status: experimental +description: Detects potential suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/04 +tags: + - attack.collection + - attack.t1005 +logsource: + category: process_creation + product: windows +detection: + selection_sql: + Image|endswith: '\sqlcmd.exe' + CommandLine|contains|all: + - 'VeeamBackup' + - 'From ' + selection_db: + CommandLine|contains: + - 'BackupRepositories' + - 'Backups' + - 'Credentials' + - 'HostCreds' + - 'SmbFileShares' + - 'Ssh_creds' + - 'VSphereInfo' + condition: all of selection_* +falsepositives: + - Unknown +level: medium