feat: more rules updates

rules-deprecated/windows/image_load_side_load_scm.yml

@@ -1,12 +1,16 @@
 title: SCM DLL Sideload
 id: bc3cc333-48b9-467a-9d1f-d44ee594ef48
-status: experimental
+related:
+    - id: 602a1f13-c640-4d73-b053-be9a2fa58b77
+      type: similar
+status: deprecated
 description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
 references:
     - https://decoded.avast.io/martinchlumecky/png-steganography/
     - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/12/01
+modified: 2023/02/14
 tags:
     - attack.defense_evasion
     - attack.persistence

rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml

@@ -1,7 +1,7 @@
 title: Creation Of Non-Existent DLLs In System Folders
 id: df6ecb8b-7822-4f4b-b412-08f524b4576c
 related:
-    - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
+    - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
       type: similar
 status: experimental
 description: Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking
@@ -30,6 +30,8 @@ detection:
             - 'C:\Windows\System32\TSMSISrv.dll'
             - 'C:\Windows\System32\TSVIPSrv.dll'
             - 'C:\Windows\System32\wow64log.dll'
+            - 'C:\Windows\System32\WptsExtensions.dll'
+            - 'C:\Windows\System32\wbem\wbemcomn.dll'
     filter:
         Image|startswith: 'C:\Windows\System32\'
     condition: selection and not filter

rules/windows/image_load/image_load_side_load_non_existent_dlls.yml

@@ -1,7 +1,7 @@
 title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders
 id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
 related:
-    - id: df6ecb8b-7822-4f4b-b412-08f524b4576c
+    - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule
       type: similar
 status: experimental
 description: Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation

rules/windows/image_load/image_load_side_load_svchost_dlls.yml

@@ -2,9 +2,11 @@ title: Svchost DLL Search Order Hijack
 id: 602a1f13-c640-4d73-b053-be9a2fa58b77
 status: test
 description: |
-  IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default.
-  An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
+    Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
+    IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default.
+    An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
 references:
+    - https://decoded.avast.io/martinchlumecky/png-steganography/
     - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
 author: SBousseaden
 date: 2019/10/28

rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml

@@ -1,4 +1,4 @@
-title: SharpEvtMute EvtMuteHook Load
+title: HackTool - SharpEvtMute Execution
 id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c
 status: experimental
 description: Detects the use of SharpEvtHook, a tool to tamper with Windows event logs
@@ -6,6 +6,7 @@ references:
     - https://github.com/bats3c/EvtMute
 author: Florian Roth (Nextron Systems)
 date: 2022/09/07
+modified: 2023/02/14
 tags:
     - attack.defense_evasion
     - attack.t1562.002

rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml

@@ -1,7 +1,7 @@
 title: Arbitrary Command Execution Using WSL
 id: dec44ca7-61ad-493c-bfd7-8819c5faa09b
 related:
-    - id: 2267fe65-0681-42ad-9a6d-46553d3f3480
+    - id: 2267fe65-0681-42ad-9a6d-46553d3f3480 # Generic susp child processes rules
       type: similar
 status: test
 description: Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands

rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml

@@ -1,11 +1,12 @@
-title: Launch WebBrowserPassView Executable
+title: PUA - WebBrowserPassView Execution
 id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513
 status: experimental
-description: Detect use of WebBrowserPassView.exe
+description: Detect execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md
 author: frack113
 date: 2022/08/20
+modified: 2023/02/14
 tags:
     - attack.credential_access
     - attack.t1555.003

rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml

@@ -8,7 +8,7 @@ related:
     - id: cd5c8085-4070-4e22-908d-a5b3342deb74
       type: obsoletes
 status: test
-description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) viq CommandLine
+description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
 references:
     - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
     - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell

rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml

@@ -7,7 +7,7 @@ references:
     - https://twitter.com/nas_bench/status/1550836225652686848
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/25
-modified: 2023/01/22
+modified: 2023/02/14
 tags:
     - attack.execution
     - attack.persistence
@@ -16,7 +16,9 @@ logsource:
     product: windows
 detection:
     selection_parent:
-        ParentImage|endswith: '\WindowsTerminal.exe'
+        ParentImage|endswith:
+            - '\WindowsTerminal.exe'
+            - '\wt.exe'
     selection_susp:
         - Image|endswith:
             # Add more LOLBINS

rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml

@@ -1,7 +1,7 @@
 title: WSL Child Process Anomaly
 id: 2267fe65-0681-42ad-9a6d-46553d3f3480
 related:
-    - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b
+    - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b # LOLBIN Rule
       type: derived
 status: experimental
 description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL

rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml

@@ -0,0 +1,23 @@
+title: Windows Binary Executed From WSL
+id: ed825c86-c009-4014-b413-b76003e33d35
+status: experimental
+description: Detects execution of windows binaries from wihthin a WSL instance. This could be used to avoid parent/child relationship detections or similar
+references:
+    - Internal Research
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/02/14
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1202
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|re: '[a-zA-Z]:\\'
+        CurrentDirectory|contains: '\\\\wsl.localhost' # Note: programs not supporting UNC paths (example: cmd.exe). Will default to another location
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium