Merge PR #4702 from @nasbench - Rule tuning and updates

fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Add additional filter fix: Outbound RDP Connections Over Non-Standard Tools - Update filters fix: Rundll32 Execution With Uncommon DLL Extension - Error in filter logic remove: Suspicious Non-Browser Network Communication With Reddit API update: BITS Transfer Job Download From File Sharing Domains - Add additional domains update: Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Update image and list of ports update: HH.EXE Initiated HTTP Network Connection - Update list of ports update: Microsoft Binary Suspicious Communication Endpoint - Enhance list of paths and filters update: Msiexec.EXE Initiated Network Connection Over HTTP - Update destination ports update: Network Connection Initiated To Mega.nz - Update domains update: Office Application Initiated Network Connection Over Uncommon Ports - Update list of ports update: Office Application Initiated Network Connection To Non-Local IP - update list of filters update: Potential Dead Drop Resolvers - Update domains and filters update: Remote CHM File Download/Execution Via HH.EXE - Enhance logic update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains update: Suspicious File Download From File Sharing Websites - Add additional domains update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains update: Suspicious Remote AppX Package Locations - Add additional domains update: Unusual File Download From File Sharing Websites - Add additional domains
2024-02-12 12:29:36 +01:00
parent cf84dcda62
commit 2acebc90f2
53 changed files with 431 additions and 245 deletions
@@ -1,6 +1,6 @@
 title: Suspicious Non-Browser Network Communication With Reddit API
 id: d7b09985-95a3-44be-8450-b6eadf49833e
-status: experimental
+status: deprecated # In favour of 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
 description: Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2
 references:
    - https://github.com/kleiton0x00/RedditC2
@@ -8,7 +8,7 @@ references:
    - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
 author: Gavin Knapp
 date: 2023/02/16
-modified: 2023/04/18
+modified: 2024/02/02
 tags:
    - attack.command_and_control
    - attack.t1102
@@ -1,11 +1,12 @@
-title: Dfsvc.EXE Network Connection To Uncommon Ports
+title: Dfsvc.EXE Initiated Network Connection Over Uncommon Port
 id: 4c5fba4a-9ef6-4f16-823d-606246054741
 status: experimental
-description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to uncommon ports
+description: Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications.
 references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/06/12
+modified: 2024/01/31
 tags:
    - attack.execution
    - attack.t1203
@@ -14,14 +15,18 @@ logsource:
    product: windows
 detection:
    selection:
+        Image|contains: ':\Windows\Microsoft.NET\'
        Image|endswith: '\dfsvc.exe'
        Initiated: 'true'
    filter_main_known_ports:
        DestinationPort:
            - 80
            - 443
-            - 445
-    condition: selection and not 1 of filter_main_*
+    filter_optional_dns_ipv6:
+        # Based on VT. More than 140 binaries made communication over DNS
+        DestinationIsIpv6: 'true'
+        DestinationPort: 53
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Unknown
-level: medium
+level: high
@@ -1,10 +1,11 @@
-title: HH.EXE Network Connections
+title: HH.EXE Initiated HTTP Network Connection
 id: 468a8cea-2920-4909-a593-0cbe1d96674a
 related:
    - id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
      type: derived
 status: test
-description: Detects network connections made by the "hh.exe" process, which could indicate the execution/download of remotely hosted .chm files
+description: |
+    Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
 references:
    - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
    - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
@@ -13,6 +14,7 @@ date: 2022/10/05
 tags:
    - attack.defense_evasion
    - attack.t1218.001
+    - detection.threat_hunting
 logsource:
    category: network_connection
    product: windows
@@ -23,9 +25,7 @@ detection:
        DestinationPort:
            - 80
            - 443
-            - 135
-            - 445
    condition: selection
 falsepositives:
-    - Unknown
+    - False positive is expected from launching "hh.exe" for the first time on a machine in a while or simply from help files containing reference to external sources. Best correlate this with process creation and file events.
 level: medium
@@ -1,7 +1,10 @@
-title: PowerShell Initiated Network Connection
+title: Network Connection Initiated By PowerShell Process
 id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
 status: experimental
-description: Detects a PowerShell process that initiates network connections. Check for suspicious target ports and target systems.
+description: |
+    Detects a network connection that was initiated from a PowerShell process.
+    Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs.
+    Use this rule as a basis for hunting for anomalies.
 references:
    - https://www.youtube.com/watch?v=DLtJTxMWZ2o
 author: Florian Roth (Nextron Systems)
@@ -10,6 +13,7 @@ modified: 2023/09/07
 tags:
    - attack.execution
    - attack.t1059.001
+    - detection.threat_hunting
 logsource:
    category: network_connection
    product: windows
@@ -1,7 +1,7 @@
-title: Net.exe Execution
+title: Net.EXE Execution
 id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac
 status: test
-description: Detects execution of Net.exe, whether suspicious or benign.
+description: Detects execution of "Net.EXE".
 references:
    - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
    - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html
@@ -25,6 +25,7 @@ tags:
    - attack.lateral_movement
    - attack.t1021.002
    - attack.s0039
+    - detection.threat_hunting
 logsource:
    category: process_creation
    product: windows
@@ -38,20 +39,15 @@ detection:
              - 'net1.exe'
    selection_cli:
        CommandLine|contains:
+            - ' accounts'
            - ' group'
            - ' localgroup'
+            - ' share'
+            - ' start'
+            - ' stop '
            - ' user'
            - ' view'
-            - ' share'
-            - ' accounts'
-            - ' stop '
-            - ' start'
    condition: all of selection_*
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
-    - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine.
+    - Likely
 level: low
@@ -9,7 +9,7 @@ references:
    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/01/11
-modified: 2023/08/17
+modified: 2024/02/09
 tags:
    - attack.defense_evasion
 logsource:
@@ -26,10 +26,12 @@ detection:
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
+            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
+            - 'onrender.com'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
@@ -40,6 +42,7 @@ detection:
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
+            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'ufile.io'
@@ -6,9 +6,10 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
    - https://twitter.com/malmoeb/status/1535142803075960832
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
+    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022/06/28
-modified: 2023/08/17
+modified: 2024/02/09
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -27,10 +28,12 @@ detection:
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
+            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
+            - 'onrender.com'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
@@ -41,6 +44,7 @@ detection:
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
+            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'ufile.io'
@@ -9,9 +9,10 @@ references:
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
    - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
+    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022/08/24
-modified: 2023/08/17
+modified: 2024/02/09
 tags:
    - attack.defense_evasion
    - attack.s0139
@@ -29,10 +30,12 @@ detection:
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
+            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
+            - 'onrender.com'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
@@ -43,6 +46,7 @@ detection:
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
+            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'ufile.io'
@@ -8,9 +8,10 @@ description: Detects the download of suspicious file type from a well-known file
 references:
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
+    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022/08/24
-modified: 2023/08/17
+modified: 2024/02/09
 tags:
    - attack.defense_evasion
    - attack.s0139
@@ -28,10 +29,12 @@ detection:
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
+            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
+            - 'onrender.com'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
@@ -42,6 +45,7 @@ detection:
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
+            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'ufile.io'
@@ -1,7 +1,9 @@
 title: Network Connection Initiated By AddinUtil.EXE
 id: 5205613d-2a63-4412-a895-3a2458b587b3
 status: experimental
-description: Detects network connections made by the Add-In deployment cache updating utility (AddInutil.exe), which could indicate command and control communication.
+description: |
+    Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe".
+    This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
 references:
    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
 author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
@@ -2,7 +2,7 @@ title: Connection Initiated Via Certutil.EXE
 id: 0dba975d-a193-4ed1-a067-424df57570d1
 status: test
 description: |
-    Detects a network connection initiated by the certutil.exe tool.
+    Detects a network connection initiated by the certutil.exe utility.
    Attackers can abuse the utility in order to download malware or additional payloads.
 references:
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
@@ -1,13 +1,16 @@
-title: Dllhost Internet Connection
+title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address
 id: cfed2f44-16df-4bf3-833a-79405198b277
 status: test
-description: Detects Dllhost that communicates with public IP addresses
+description: |
+    Detects dllhost initiating a network connection to a non-local IP address.
+    Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
+    An initial baseline is recommended before deployment.
 references:
    - https://redcanary.com/blog/child-processes/
    - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
 author: bartblaze
 date: 2020/07/13
-modified: 2023/01/20
+modified: 2024/01/31
 tags:
    - attack.defense_evasion
    - attack.t1218
@@ -20,7 +23,7 @@ detection:
    selection:
        Image|endswith: '\dllhost.exe'
        Initiated: 'true'
-    filter_ipv4:
+    filter_main_ipv4:
        DestinationIp|startswith:
            - '10.'
            - '192.168.'
@@ -42,16 +45,15 @@ detection:
            - '172.31.'
            - '169.254.'  # link-local address
            - '127.'  # loopback address
-    filter_ipv6:
+    filter_main_ipv6:
        DestinationIp|startswith:
            - '::1'  # IPv6 loopback variant
            - '0:0:0:0:0:0:0:1'  # IPv6 loopback variant
            - 'fe80:'  # link-local address
            - 'fc'  # private address range fc00::/7
            - 'fd'  # private address range fc00::/7
-    filter_msrange:
+    filter_main_msrange:
        DestinationIp|startswith:
-            # Subnet: 20.184.0.0/13
            - '20.184.'
            - '20.185.'
            - '20.186.'
@@ -60,14 +62,15 @@ detection:
            - '20.189.'
            - '20.190.'
            - '20.191.'
+            - '20.223.'
            - '23.79.'
            - '51.10.'
-            # Subnet: 51.103.210.0/23
            - '51.103.'
            - '51.104.'
            - '51.105.'
            - '52.239.'
-    condition: selection and not 1 of filter_*
+            - '204.79.197'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Communication to other corporate systems that use IP addresses from public address spaces
 level: medium
@@ -0,0 +1,28 @@
+title: Network Connection Initiated To Mega.nz
+id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
+status: test
+description: |
+    Detects a network connection initiated by a binary to "api.mega.co.nz".
+    Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
+references:
+    - https://megatools.megous.com/
+    - https://www.mandiant.com/resources/russian-targeting-gov-business
+author: Florian Roth (Nextron Systems)
+date: 2021/12/06
+modified: 2024/02/01
+tags:
+    - attack.exfiltration
+    - attack.t1567.001
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Initiated: 'true'
+        DestinationHostname|endswith:
+            - 'mega.co.nz'
+            - 'mega.nz'
+    condition: selection
+falsepositives:
+    - Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool.
+level: medium
@@ -1,7 +1,13 @@
-title: Communication To Ngrok Domains
+title: Process Initiated Network  Connection To Ngrok Domain
 id: 18249279-932f-45e2-b37a-8925f2597670
+related:
+    - id: 1d08ac94-400d-4469-a82f-daee9a908849
+      type: similar
 status: test
-description: Detects an executable accessing ngrok domains, which could be a sign of forbidden data exfiltration by malicious actors
+description: |
+    Detects an executable initiating a network connection to "ngrok" domains.
+    Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
+    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
 references:
    - https://ngrok.com/
    - https://ngrok.com/blog-post/new-ngrok-domains
@@ -27,5 +33,6 @@ detection:
            - '.ngrok.io'
    condition: selection
 falsepositives:
-    - Legitimate use of ngrok domains
+    - Legitimate use of the ngrok service.
+# Note: The level of this rule is related to your internal policy.
 level: high
@@ -1,12 +1,19 @@
-title: Communication To Ngrok Tunneling Service
+title: Communication To Ngrok Tunneling Service Initiated
 id: 1d08ac94-400d-4469-a82f-daee9a908849
+related:
+    - id: 18249279-932f-45e2-b37a-8925f2597670
+      type: similar
 status: test
-description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
+description: |
+    Detects an executable initiating a network connection to "ngrok" tunneling domains.
+    Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
+    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
 references:
    - https://twitter.com/hakluke/status/1587733971814977537/photo/1
    - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
 author: Florian Roth (Nextron Systems)
 date: 2022/11/03
+modified: 2024/02/02
 tags:
    - attack.exfiltration
    - attack.command_and_control
@@ -31,5 +38,5 @@ detection:
            - 'tunnel.in.ngrok.com'
    condition: selection
 falsepositives:
-    - Legitimate use of ngrok
+    - Legitimate use of the ngrok service.
 level: high
@@ -18,5 +18,5 @@ detection:
        Image|endswith: '\eqnedt32.exe'
    condition: selection
 falsepositives:
-    - Unknown
+    - Unlikely
 level: high
@@ -1,49 +0,0 @@
-title: Excel Network Connections
-id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
-status: test
-description: |
-    Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.
-    You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.
-references:
-    - https://corelight.com/blog/detecting-cve-2021-42292
-author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton
-date: 2021/11/10
-modified: 2022/06/27
-tags:
-    - attack.execution
-    - attack.t1203
-logsource:
-    category: network_connection
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\excel.exe'
-        Initiated: 'true'
-        DestinationIsIpv6: 'false'
-    filter:
-        DestinationIp|startswith:
-            - '10.'
-            - '192.168.'
-            - '172.16.'
-            - '172.17.'
-            - '172.18.'
-            - '172.19.'
-            - '172.20.'
-            - '172.21.'
-            - '172.22.'
-            - '172.23.'
-            - '172.24.'
-            - '172.25.'
-            - '172.26.'
-            - '172.27.'
-            - '172.28.'
-            - '172.29.'
-            - '172.30.'
-            - '172.31.'
-            - '127.0.0.1'
-    condition: selection and not filter
-falsepositives:
-    - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
-    - Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.
-    - It is highly recommended to baseline your activity and tune out common business use cases.
-level: medium
@@ -4,7 +4,8 @@ related:
    - id: 863218bd-c7d0-4c52-80cd-0a96c09f54af
      type: derived
 status: test
-description: Detects network connections initiated by IMEWDBLD. This might indicate potential abuse to download arbitrary files via this utility
+description: |
+    Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download
    - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
@@ -1,24 +0,0 @@
-title: Communication To Mega.nz
-id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
-status: test
-description: Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors
-references:
-    - https://megatools.megous.com/
-    - https://www.mandiant.com/resources/russian-targeting-gov-business
-author: Florian Roth (Nextron Systems)
-date: 2021/12/06
-modified: 2022/12/25
-tags:
-    - attack.exfiltration
-    - attack.t1567.001
-logsource:
-    category: network_connection
-    product: windows
-detection:
-    selection:
-        Initiated: 'true'
-        DestinationHostname|endswith: 'api.mega.co.nz'
-    condition: selection
-falsepositives:
-    - Legitimate use of mega.nz uploaders and tools
-level: high
@@ -1,14 +1,15 @@
-title: Msiexec Initiated Connection
+title: Msiexec.EXE Initiated Network Connection Over HTTP
 id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f
 status: test
 description: |
-    Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
-    Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
+    Detects an initiated network connection by "Msiexec.exe" over port 80 or 443.
+    Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages.
 references:
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
 author: frack113
 date: 2022/01/16
+modified: 2024/02/01
 tags:
    - attack.defense_evasion
    - attack.t1218.007
@@ -19,7 +20,10 @@ detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\msiexec.exe'
+        DestinationPort:
+            - 80
+            - 443
    condition: selection
 falsepositives:
-    - Legitimate msiexec over networks
-level: medium
+    - Some rare installers were seen communicating with external servers for additional information. While its a very rare occurrence in some environments an initial baseline might be required.
+level: high
@@ -0,0 +1,30 @@
+title: Network Connection Initiated Via Notepad.EXE
+id: e81528db-fc02-45e8-8e98-4e84aba1f10b
+status: test
+description: |
+    Detects a network connection that is initiated by the "notepad.exe" process.
+    This might be a sign of process injection from a beacon process or something similar.
+    Notepad rarely initiates a network communication except when printing documents for example.
+references:
+    - https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
+    - https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet
+author: EagleEye Team
+date: 2020/05/14
+modified: 2024/02/02
+tags:
+    - attack.command_and_control
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1055
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\notepad.exe'
+    filter_optional_printing:
+        DestinationPort: 9100
+    condition: selection and not 1 of filter_optional_*
+falsepositives:
+    - Printing documents via notepad might cause communication with the printer via port 9100 or similar.
+level: high
@@ -1,27 +0,0 @@
-title: Notepad Making Network Connection
-id: e81528db-fc02-45e8-8e98-4e84aba1f10b
-status: test
-description: Detects suspicious network connection by Notepad
-references:
-    - https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
-    - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/
-author: EagleEye Team
-date: 2020/05/14
-modified: 2022/10/05
-tags:
-    - attack.command_and_control
-    - attack.execution
-    - attack.defense_evasion
-    - attack.t1055
-logsource:
-    category: network_connection
-    product: windows
-detection:
-    selection:
-        Image|endswith: '\notepad.exe'
-    filter:
-        DestinationPort: 9100
-    condition: selection and not filter
-falsepositives:
-    - Unknown
-level: high
@@ -0,0 +1,78 @@
+title: Office Application Initiated Network Connection To Non-Local IP
+id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
+status: test
+description: |
+    Detects an office application (Word, Excel, PowerPoint)  that initiate a network connection to a non-private IP addresses.
+    This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
+    This rule will require an initial baseline and tuning that is specific to your organization.
+references:
+    - https://corelight.com/blog/detecting-cve-2021-42292
+author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton
+date: 2021/11/10
+modified: 2024/01/31
+tags:
+    - attack.execution
+    - attack.t1203
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Image|endswith:
+            - '\excel.exe'
+            - '\powerpnt.exe'
+            - '\winword.exe'
+            - '\wordview.exe'
+        Initiated: 'true'
+    filter_main_ipv4:
+        DestinationIp|startswith:
+            - '10.'
+            - '192.168.'
+            - '172.16.'
+            - '172.17.'
+            - '172.18.'
+            - '172.19.'
+            - '172.20.'
+            - '172.21.'
+            - '172.22.'
+            - '172.23.'
+            - '172.24.'
+            - '172.25.'
+            - '172.26.'
+            - '172.27.'
+            - '172.28.'
+            - '172.29.'
+            - '172.30.'
+            - '172.31.'
+            - '127.0.0.1'
+    filter_main_ipv6:
+        DestinationIp|startswith:
+            - '::1'  # IPv6 loopback variant
+            - '0:0:0:0:0:0:0:1'  # IPv6 loopback variant
+            - 'fe80:'  # link-local address
+            - 'fc'  # private address range fc00::/7
+            - 'fd'  # private address range fc00::/7
+    filter_main_msrange:
+        DestinationIp|startswith:
+            - '20.184.'
+            - '20.185.'
+            - '20.186.'
+            - '20.187.'
+            - '20.188.'
+            - '20.189.'
+            - '20.190.'
+            - '20.191.'
+            - '20.223.'
+            - '23.79.'
+            - '51.10.'
+            - '51.103.'
+            - '51.104.'
+            - '51.105.'
+            - '52.239.'
+            - '204.79.197'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
+    - Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned.
+    - It is highly recommended to baseline your activity and tune out common business use cases.
+level: medium
@@ -0,0 +1,43 @@
+title: Office Application Initiated Network Connection Over Uncommon Ports
+id: 3b5ba899-9842-4bc2-acc2-12308498bf42
+status: experimental
+description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
+references:
+    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
+author: X__Junior (Nextron Systems)
+date: 2023/07/12
+modified: 2024/01/31
+tags:
+    - attack.defense_evasion
+    - attack.command_and_control
+logsource:
+    category: network_connection
+    product: windows
+detection:
+    selection:
+        Initiated: 'true'
+        Image|endswith:
+            - '\excel.exe'
+            - '\outlook.exe'
+            - '\powerpnt.exe'
+            - '\winword.exe'
+            - '\wordview.exe'
+    filter_main_common_ports:
+        DestinationPort:
+            - 53 # DNS
+            - 80 # HTTP
+            - 139 # NETBIOS
+            - 443 # HTTPS
+            - 445 # SMB
+    filter_main_outlook_ports:
+        Image|contains: ':\Program Files\Microsoft Office\'
+        Image|endswith: '\OUTLOOK.EXE'
+        DestinationPort:
+            - 465 # SMTP
+            - 587 # SMTP
+            - 993 # IMAP
+            - 995 # POP3
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Other ports can be used, apply additional filters accordingly
+level: medium
@@ -14,6 +14,7 @@ tags:
 logsource:
    category: network_connection
    product: windows
+    definition: 'Requirements: Field enrichment is required for the filters to work. As field such as CommandLine and ParentImage are not available by default on this event type'
 detection:
    selection:
        Initiated: 'true'
@@ -36,5 +37,5 @@ detection:
        SourceIp: 127.0.0.1
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
-    - Legitimate python script
+    - Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying.
 level: medium
@@ -1,7 +1,9 @@
 title: Outbound RDP Connections Over Non-Standard Tools
 id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
 status: test
-description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement
+description: |
+    Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
+    An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
 references:
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
 author: Markus Neis
@@ -19,12 +21,12 @@ detection:
        DestinationPort: 3389
        Initiated: 'true'
    filter_main_mstsc:
-        Image|endswith:
-            - ':\Windows\System32\mstsc.exe'
-            - ':\Windows\SysWOW64\mstsc.exe'
+        Image:
+            - 'C:\Windows\System32\mstsc.exe'
+            - 'C:\Windows\SysWOW64\mstsc.exe'
    filter_optional_dns:
        # https://github.com/SigmaHQ/sigma/pull/2249
-        Image|endswith: ':\Windows\System32\dns.exe'
+        Image: 'C:\Windows\System32\dns.exe'
        SourcePort: 53
        Protocol: 'udp'
    filter_optional_avast:
@@ -34,7 +36,7 @@ detection:
    filter_optional_sysinternals_rdcman:
        Image|endswith: '\RDCMan.exe'
    filter_optional_chrome:
-        Image|endswith: ':\Program Files\Google\Chrome\Application\chrome.exe'
+        Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_third_party:
        Image|endswith:
            - '\FSAssessment.exe'
@@ -63,9 +65,9 @@ detection:
    filter_optional_firefox:
        Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_tsplus:  # Some RAS
-        Image|endswith:
-            - ':\Program Files\TSplus\Java\bin\HTML5service.exe'
-            - ':\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
+        Image:
+            - 'C:\Program Files\TSplus\Java\bin\HTML5service.exe'
+            - 'C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
    filter_optional_null:
        Image: null
    filter_optional_empty:
@@ -3,7 +3,7 @@ id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
 status: test
 description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
 references:
-    - https://twitter.com/SBousseaden/status/1096148422984384514
+    - https://twitter.com/cyb3rops/status/1096842275437625346
 author: Samir Bousseaden
 date: 2019/02/16
 modified: 2022/10/09
@@ -17,14 +17,14 @@ logsource:
    category: network_connection
    product: windows
 detection:
-    selection:
+    selection_img:
        Image|endswith: '\svchost.exe'
        Initiated: 'true'
        SourcePort: 3389
-    selection2:
+    selection_destination:
        - DestinationIp|startswith: '127.'
        - DestinationIp: '::1'
-    condition: selection and selection2
+    condition: all of selection_*
 falsepositives:
    - Unknown
 level: high
@@ -1,7 +1,7 @@
 title: Network Connection Initiated By Regsvr32.EXE
 id: c7e91a02-d771-4a6d-a700-42587e0b1095
 status: test
-description: Detects network connections initiated by Regsvr32.exe
+description: Detects a network connection initiated by "Regsvr32.exe"
 references:
    - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
    - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
@@ -1,11 +1,19 @@
 title: Potential Dead Drop Resolvers
 id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
+related:
+    - id: d7b09985-95a3-44be-8450-b6eadf49833e
+      type: obsoletes
 status: test
-description: Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
+description: |
+    Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
+    In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
 references:
    - https://content.fireeye.com/apt-41/rpt-apt41
    - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
    - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
+    - https://github.com/kleiton0x00/RedditC2
+    - https://twitter.com/kleiton0x7e/status/1600567316810551296
+    - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
 author: Sorina Ionescu, X__Junior (Nextron Systems)
 date: 2022/08/17
 modified: 2024/02/06
@@ -41,6 +49,7 @@ detection:
            - 'imgur.com'
            - 'livejournal.com'
            - 'mediafire.com'
+            - 'mega.co.nz'
            - 'mega.nz'
            - 'onedrive.com'
            - 'paste.ee'
@@ -97,8 +106,15 @@ detection:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_main_safari:
+        Image|contains:
+            - 'C:\Program Files (x86)\Safari\'
+            - 'C:\Program Files\Safari\'
        Image|endswith: '\safari.exe'
    filter_main_defender:
+        Image|contains:
+            - 'C:\Program Files\Windows Defender Advanced Threat Protection\'
+            - 'C:\Program Files\Windows Defender\'
+            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
        Image|endswith:
            - '\MsMpEng.exe' # Microsoft Defender executable
            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
@@ -108,8 +124,8 @@ detection:
            - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
            - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
    filter_main_brave:
-        Image|endswith: '\brave.exe'
        Image|startswith: 'C:\Program Files\BraveSoftware\'
+        Image|endswith: '\brave.exe'
    filter_main_maxthon:
        Image|contains: '\AppData\Local\Maxthon\'
        Image|endswith: '\maxthon.exe'
@@ -129,8 +145,9 @@ detection:
            - 'C:\Program Files\Naver\Naver Whale\'
            - 'C:\Program Files (x86)\Naver\Naver Whale\'
        Image|endswith: '\whale.exe'
-    filter_main_tor:
-        Image|contains: '\Tor Browser\'
+    # Note: The TOR browser shouldn't be something you allow in your corporate network.
+    # filter_main_tor:
+    #     Image|contains: '\Tor Browser\'
    filter_main_whaterfox:
        Image|startswith:
            - 'C:\Program Files\Waterfox\'
@@ -169,7 +186,8 @@ detection:
        Image|startswith:
            - 'C:\Program Files (x86)\WindowsApps\'
            - 'C:\Program Files\WindowsApps\'
-        Image|endswith: 'WhatsApp.exe'
+        Image|endswith: '\WhatsApp.exe'
+        DestinationHostname|endswith: 'facebook.com'
    filter_main_telegram:
        Image|contains: '\AppData\Roaming\Telegram Desktop\'
        Image|endswith: '\Telegram.exe'
@@ -182,14 +200,24 @@ detection:
        Image|startswith:
            - 'C:\Program Files (x86)\Dropbox\Client\'
            - 'C:\Program Files\Dropbox\Client\'
-        Image|endswith: '\Dropbox.exe'
+        Image|endswith:
+            - '\Dropbox.exe'
+            - '\DropboxInstaller.exe'
        DestinationHostname|endswith: 'dropbox.com'
    filter_main_mega:
-        Image|contains: '\AppData\Local\MEGAsync\'
-        Image|endswith: 'MEGAsync.exe'
-        DestinationHostname|endswith: 'mega.nz'
+        Image|endswith:
+            # Note: This is a basic/best effort filter in order to avoid FP with the MEGA installer and executable.
+            #       In practice please apply exact path to avoid basic path bypass techniques.
+            - '\MEGAsync.exe'
+            - '\MEGAsyncSetup32_*RC.exe' # Beta versions
+            - '\MEGAsyncSetup32.exe' # Installers 32bit
+            - '\MEGAsyncSetup64.exe' # Installers 64bit
+            - '\MEGAupdater.exe'
+        DestinationHostname|endswith:
+            - 'mega.co.nz'
+            - 'mega.nz'
    filter_main_googledrive:
-        Image|startswith:
+        Image|contains:
            - 'C:\Program Files\Google\Drive File Stream\'
            - 'C:\Program Files (x86)\Google\Drive File Stream\'
        Image|endswith: 'GoogleDriveFS.exe'
@@ -205,4 +233,5 @@ detection:
    condition: selection and not 1 of filter_main_*
 falsepositives:
    - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
+    - Ninite contacting githubusercontent.com
 level: high
@@ -4,7 +4,7 @@ related:
    - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
      type: obsoletes
 status: test
-description: Detects an executable in the Windows folder accessing suspicious domains
+description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
 references:
    - https://twitter.com/M_haggis/status/900741347035889665
    - https://twitter.com/M_haggis/status/1032799638213066752
@@ -13,7 +13,7 @@ references:
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2018/08/30
-modified: 2023/08/17
+modified: 2024/02/09
 tags:
    - attack.lateral_movement
    - attack.t1105
@@ -22,12 +22,14 @@ logsource:
    product: windows
 detection:
    selection_paths:
-        - Image|startswith:
-              - 'C:\PerfLogs'
-              - 'C:\Temp\'
-              - 'C:\Users\Public\'
-              - 'C:\Windows\'
-        - Image|contains: '\AppData\Temp\'
+        Image|contains:
+            - ':\PerfLogs\'
+            - ':\Temp\'
+            - ':\Users\Public\'
+            - ':\Windows\System32\Tasks\'
+            - ':\Windows\Tasks\'
+            - ':\Windows\Temp\'
+            - '\AppData\Temp\'
    selection_domains:
        Initiated: 'true'
        DestinationHostname|endswith:
@@ -38,10 +40,13 @@ detection:
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
+            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
+            - 'mega.co.nz'
            - 'mega.nz'
+            - 'onrender.com'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
@@ -52,11 +57,11 @@ detection:
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
+            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'ufile.io'
    condition: all of selection_*
 falsepositives:
-    - Unknown
-    - '@subTee in your network'
+    - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
 level: high
@@ -1,7 +1,8 @@
 title: Suspicious Non-Browser Network Communication With Google API
 id: 7e9cf7b6-e827-11ed-a05b-0242ac120003
 status: experimental
-description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
+description: |
+    Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
 references:
    - https://github.com/looCiprian/GC2-sheet
    - https://youtu.be/n2dFlSaBBKo
@@ -19,10 +20,11 @@ logsource:
    category: network_connection
 detection:
    selection:
-        DestinationHostname|contains:  # Other googleapis should be added as the GC2 tool evolves
+        DestinationHostname|contains:
+            # Note: Please add additional google API related domains that might be abused.
+            - 'drive.googleapis.com'
            - 'oauth2.googleapis.com'
            - 'sheets.googleapis.com'
-            - 'drive.googleapis.com'
            - 'www.googleapis.com'
    filter_optional_brave:
        Image|endswith: '\brave.exe'
@@ -1,12 +1,14 @@
-title: Remote PowerShell Session (Network)
+title: Potential Remote PowerShell Session Initiated
 id: c539afac-c12a-46ed-b1bd-5a5567c9f045
 status: test
-description: Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.
+description: |
+    Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.
+    This could potentially indicates a remote PowerShell connection.
 references:
    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019/09/12
-modified: 2023/01/09
+modified: 2024/02/02
 tags:
    - attack.execution
    - attack.t1059.001
@@ -21,27 +23,28 @@ detection:
            - 5985
            - 5986
        Initiated: 'true' # only matches of the initiating system can be evaluated
-    filter_generic:
+        SourceIsIpv6: 'false'
+    filter_main_service_users:
        - User|contains: # covers many language settings for Network Service. Please expand
              - 'NETWORK SERVICE'
              - 'NETZWERKDIENST'
-              - 'SERVIZIO DI RETE'
              - 'SERVICIO DE RED'
+              - 'SERVIZIO DI RETE'
        - User|contains|all:
              - 'SERVICE R'
              - 'SEAU'
-        - SourceIp|startswith: '0:0:'
-        - Image:
-              - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe'
-              - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe'
-    filter_localhost:
+    filter_main_localhost:
        SourceIp:
            - '::1'
            - '127.0.0.1'
        DestinationIp:
            - '::1'
            - '127.0.0.1'
-    condition: selection and not 1 of filter_*
+    filter_optional_avast:
+        Image:
+            - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe'
+            - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe'
+    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
 falsepositives:
    - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
    - Network Service user name of a not-covered localization
@@ -1,7 +1,9 @@
-title: Suspicious Office Outbound Connections
-id: 3b5ba899-9842-4bc2-acc2-12308498bf42
+title: Suspicious Wordpad Outbound Connections
+id: 786cdae8-fefb-4eb2-9227-04e34060db01
 status: experimental
-description: Detects office suit applications communicating to target systems on uncommon ports
+description: |
+    Detects a network connection initiated by "wordpad.exe" over uncommon destination ports.
+    This might indicate potential process injection activity from a beacon or similar mechanisms.
 references:
    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
 author: X__Junior (Nextron Systems)
@@ -15,13 +17,8 @@ logsource:
    product: windows
 detection:
    selection:
-        Image|endswith:
-            - '\excel.exe'
-            - '\outlook.exe'
-            - '\powerpnt.exe'
-            - '\winword.exe'
-            - '\wordpad.exe'
-            - '\wordview.exe'
+        Initiated: 'true'
+        Image|endswith: '\wordpad.exe'
    filter_main_ports:
        DestinationPort:
            - 80
@@ -8,9 +8,10 @@ references:
    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
+    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Florian Roth (Nextron Systems)
 date: 2022/06/28
-modified: 2023/08/17
+modified: 2024/02/09
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -38,10 +39,12 @@ detection:
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
+            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
+            - 'onrender.com'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
@@ -52,6 +55,7 @@ detection:
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
+            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'ufile.io'
@@ -13,9 +13,10 @@ references:
    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
    - https://twitter.com/egre55/status/1087685529016193025
    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
+    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/15
-modified: 2023/08/17
+modified: 2024/02/09
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -39,10 +40,12 @@ detection:
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
+            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
+            - 'onrender.com'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
@@ -53,6 +56,7 @@ detection:
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
+            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'ufile.io'
@@ -7,7 +7,7 @@ references:
    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/05
-modified: 2023/08/17
+modified: 2024/02/09
 tags:
    - attack.execution
 logsource:
@@ -26,10 +26,12 @@ detection:
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
+            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
+            - 'onrender.com'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
@@ -40,6 +42,7 @@ detection:
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
+            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'ufile.io'
@@ -8,7 +8,7 @@ references:
    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/29
-modified: 2023/04/12
+modified: 2024/01/31
 tags:
    - attack.defense_evasion
    - attack.t1218.001
@@ -20,7 +20,10 @@ detection:
        - OriginalFileName: 'HH.exe'
        - Image|endswith: '\hh.exe'
    selection_cli:
-        CommandLine|contains: 'http'
+        CommandLine|contains:
+            - 'http://'
+            - 'https://'
+            - '\\\\'
    condition: all of selection_*
 falsepositives:
    - Unknown
@@ -30,10 +30,6 @@ detection:
            - 'user'
            - 'add'
    condition: all of selection_*
-fields:
-    - ComputerName
-    - User
-    - CommandLine
 falsepositives:
    - Legitimate user creation.
    - Better use event IDs for user creation rather than command line rules.
@@ -6,7 +6,7 @@ references:
    - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
 date: 2022/01/13
-modified: 2024/02/08
+modified: 2024/02/09
 tags:
    - attack.defense_evasion
    - attack.t1218.011
@@ -22,20 +22,25 @@ detection:
    filter_main_empty:
        CommandLine: ''
    filter_main_known_extension:
-        CommandLine|contains:
-            # Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage.
-            - '.cpl '
-            - '.cpl,'
-            - '.cpl"'
-            - ".cpl'"
-            - '.dll '
-            - '.dll,'
-            - '.dll"'
-            - ".dll'"
-            - '.inf '
-            - '.inf,'
-            - '.inf"'
-            - ".inf'"
+        - CommandLine|contains:
+              # Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage.
+              - '.cpl '
+              - '.cpl,'
+              - '.cpl"'
+              - ".cpl'"
+              - '.dll '
+              - '.dll,'
+              - '.dll"'
+              - ".dll'"
+              - '.inf '
+              - '.inf,'
+              - '.inf"'
+              - ".inf'"
+        - CommandLine|endswith:
+              # Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage.
+              - '.cpl'
+              - '.dll'
+              - '.inf'
    filter_main_localserver:
        CommandLine|contains: ' -localserver '
    filter_main_zzzzInvokeManagedCustomActionOutOfProc:
@@ -5,9 +5,10 @@ description: Detects potentially suspicious file downloads from file sharing dom
 references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
+    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/05/05
-modified: 2023/08/17
+modified: 2024/02/09
 tags:
    - attack.execution
 logsource:
@@ -26,10 +27,12 @@ detection:
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
+            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
+            - 'onrender.com'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
@@ -40,6 +43,7 @@ detection:
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
+            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'ufile.io'
@@ -1,13 +1,17 @@
 title: Bypass UAC Using SilentCleanup Task
 id: 724ea201-6514-4f38-9739-e5973c34f49a
 status: test
-description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC
+description: |
+    Detects the setting of the environement variable "windir" to a non default value.
+    Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
+    The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
    - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
-author: frack113
+    - https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
+author: frack113, Nextron Systems
 date: 2022/01/06
-modified: 2023/08/17
+modified: 2024/01/30
 tags:
    - attack.privilege_escalation
    - attack.defense_evasion
@@ -18,8 +22,9 @@ logsource:
 detection:
    selection:
        TargetObject|endswith: '\Environment\windir'
-        Details|contains: '&REM'
-    condition: selection
+    filter_main_default:
+        Details: '%SystemRoot%'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unknown
 level: high
@@ -8,7 +8,7 @@ description: |
    Detects tampering of RDP Terminal Service/Server sensitive settings.
    Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
 references:
-    - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
+    - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
@@ -12,7 +12,7 @@ description: |
    Detects tampering of RDP Terminal Service/Server sensitive settings.
    Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
 references:
-    - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
+    - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html