From 09afae1e66393f5c534a7dd8c9a6d96419f35bd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 14:27:19 +0300 Subject: [PATCH 01/12] Create sysmon_apt_muddywater_dnstunnel.yml Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ --- .../sysmon_apt_muddywater_dnstunnel.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml new file mode 100644 index 000000000..38a292923 --- /dev/null +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -0,0 +1,26 @@ +title: "Muddywater DNS tunnel method detection" +description: "Detecting DNS tunnel activity from Muddywater" +author: Furkan Caliskan +status: "testing" +references: +- https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ +- https://www.vmray.com/analyses/5ad401c3a568/report/overview.html +tags: +- attack.command_and_control +- attack.t1071 +logsource: + product: "windows" + service: "sysmon" +detection: + selection: + EventID: 1 + Image|endswith: + - '\powershell.exe' + ParentImage|endswith: + - '\excel.exe' + CommandLine|contains: + - 'DataExchange.dll' + condition: selection +falsepositives: +- Unkown +level: medium From bafd6bde5f69f7d519426ac1273de9260b7bf517 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 14:45:10 +0300 Subject: [PATCH 02/12] Convert to process_creation Convert to process_creation --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 38a292923..2c39917ae 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -1,4 +1,4 @@ -title: "Muddywater DNS tunnel method detection" +title: "Muddywater DNS tunnel detection" description: "Detecting DNS tunnel activity from Muddywater" author: Furkan Caliskan status: "testing" @@ -9,8 +9,8 @@ tags: - attack.command_and_control - attack.t1071 logsource: - product: "windows" - service: "sysmon" + category: process_creation + product: windows detection: selection: EventID: 1 From 1c677aa172fbdc42dd2b07fbca4d3cfb33e33815 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 18:13:32 +0300 Subject: [PATCH 03/12] Fix title as in guideline Fix title error as in guideline and other cosmetic changes --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 2c39917ae..13ee8b635 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -1,7 +1,7 @@ -title: "Muddywater DNS tunnel detection" -description: "Detecting DNS tunnel activity from Muddywater" +title: Muddywater DNS tunnel activity +description: Detecting DNS tunnel activity for Muddywater actor author: Furkan Caliskan -status: "testing" +status: testing references: - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html From 0744107fbb3fcf2444d00a8d3539dd1a2ce6bbd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 18:19:08 +0300 Subject: [PATCH 04/12] Deleted EventID part --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 13ee8b635..87b6a254f 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -13,7 +13,6 @@ logsource: product: windows detection: selection: - EventID: 1 Image|endswith: - '\powershell.exe' ParentImage|endswith: From 5e373153ebf64c2d1d4a47e9cbc2a14c356f4ecc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 18:28:37 +0300 Subject: [PATCH 05/12] Title fix --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 87b6a254f..b77e33e3c 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -1,4 +1,4 @@ -title: Muddywater DNS tunnel activity +title: DNS Tunnel Technique from MuddyWater description: Detecting DNS tunnel activity for Muddywater actor author: Furkan Caliskan status: testing From e958a6a9398d0dc32eeb78eccfeeb2dfc0081fe3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 18:34:44 +0300 Subject: [PATCH 06/12] Date added --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index b77e33e3c..e13e7fcaf 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -1,7 +1,8 @@ title: DNS Tunnel Technique from MuddyWater description: Detecting DNS tunnel activity for Muddywater actor -author: Furkan Caliskan -status: testing +author: '@caliskanfurkan_' +status: experimental +date: 2020/06/04 references: - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html From 082696ee84e00d2c1367267f156d31bfb52c415a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 18:38:42 +0300 Subject: [PATCH 07/12] Added UUID --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index e13e7fcaf..32004f6e3 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -1,4 +1,5 @@ title: DNS Tunnel Technique from MuddyWater +id: 36222790-0d43-4fe8-86e4-674b27809543 description: Detecting DNS tunnel activity for Muddywater actor author: '@caliskanfurkan_' status: experimental From d14d391761261c6ed17b1edb1e38dd469a3762a7 Mon Sep 17 00:00:00 2001 From: Remco Hofman Date: Tue, 9 Jun 2020 16:12:05 +0200 Subject: [PATCH 08/12] Octopus Scanner malware rule --- .../malware/win_mal_octopus_scanner.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/malware/win_mal_octopus_scanner.yml diff --git a/rules/windows/malware/win_mal_octopus_scanner.yml b/rules/windows/malware/win_mal_octopus_scanner.yml new file mode 100644 index 000000000..bcc4b998a --- /dev/null +++ b/rules/windows/malware/win_mal_octopus_scanner.yml @@ -0,0 +1,24 @@ +title: Octopus Scanner Malware +id: 805c55d9-31e6-4846-9878-c34c75054fe9 +status: experimental +description: Detects Octopus Scanner Malware. +references: + - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain +tags: + - attack.t1195 +author: NVISO +date: 2020/06/09 +logsource: + product: windows + service: sysmon +detection: + filecreate: + EventID: 11 + selection: + TargetFilename|endswith: + - '\AppData\Local\Microsoft\Cache134.dat' + - '\AppData\Local\Microsoft\ExplorerSync.db' +condition: filecreate and selection +falsepositives: + - Unknown +level: high \ No newline at end of file From 4ce3ea735e6308bebb554a4fab7286e964ae465e Mon Sep 17 00:00:00 2001 From: Remco Hofman Date: Tue, 9 Jun 2020 16:21:46 +0200 Subject: [PATCH 09/12] TA410 FlowCloud malware detection --- rules/windows/malware/win_mal_flowcloud.yml | 28 +++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/malware/win_mal_flowcloud.yml diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/win_mal_flowcloud.yml new file mode 100644 index 000000000..566fce0d4 --- /dev/null +++ b/rules/windows/malware/win_mal_flowcloud.yml @@ -0,0 +1,28 @@ +title: FlowCloud Malware +id: 5118765f-6657-4ddb-a487-d7bd673abbf1 +status: experimental +description: Detects FlowCloud malware from threat group TA410. +references: + - https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new +author: NVISO +tags: + - attack.persistence + - attack.t1112 +date: 2020/06/09 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: + - 12 # key create + - 13 # value set + TargetObject: + - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' + - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' + - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' + - 'HKLM\SYSTEM\Setup\PrintResponsor\*' + condition: selection +falsepositives: + - Unknown +level: critical From a9bf22750ab73f80a4edb47fc90a1c5365690b29 Mon Sep 17 00:00:00 2001 From: Remco Hofman Date: Tue, 9 Jun 2020 16:30:17 +0200 Subject: [PATCH 10/12] Fixed bad indentation --- rules/windows/malware/win_mal_octopus_scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/malware/win_mal_octopus_scanner.yml b/rules/windows/malware/win_mal_octopus_scanner.yml index bcc4b998a..4e7a58883 100644 --- a/rules/windows/malware/win_mal_octopus_scanner.yml +++ b/rules/windows/malware/win_mal_octopus_scanner.yml @@ -18,7 +18,7 @@ detection: TargetFilename|endswith: - '\AppData\Local\Microsoft\Cache134.dat' - '\AppData\Local\Microsoft\ExplorerSync.db' -condition: filecreate and selection + condition: filecreate and selection falsepositives: - Unknown level: high \ No newline at end of file From 04913a4b957697816988fffaa44eaf40a375c944 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Jun 2020 17:20:25 +0200 Subject: [PATCH 11/12] Aligned indentation --- .../sysmon_apt_muddywater_dnstunnel.yml | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 32004f6e3..3cf7b3099 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -5,23 +5,23 @@ author: '@caliskanfurkan_' status: experimental date: 2020/06/04 references: -- https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ -- https://www.vmray.com/analyses/5ad401c3a568/report/overview.html + - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ + - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html tags: -- attack.command_and_control -- attack.t1071 + - attack.command_and_control + - attack.t1071 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\powershell.exe' - ParentImage|endswith: - - '\excel.exe' - CommandLine|contains: - - 'DataExchange.dll' + selection: + Image|endswith: + - '\powershell.exe' + ParentImage|endswith: + - '\excel.exe' + CommandLine|contains: + - 'DataExchange.dll' condition: selection falsepositives: -- Unkown -level: medium + - Unkown +level: critical From 7a334a8d8a33d9d2aeeaca34816c4e52b0a87274 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Jun 2020 17:30:54 +0200 Subject: [PATCH 12/12] fix: missed line --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 3cf7b3099..3bb4c1aae 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -21,7 +21,7 @@ detection: - '\excel.exe' CommandLine|contains: - 'DataExchange.dll' - condition: selection + condition: selection falsepositives: - Unkown level: critical