From 2ef681291ac3fbf1ceca48637eabf8772d4e4b0f Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 14 Feb 2023 19:15:35 +0100
Subject: [PATCH] feat: more rules updates

---
 .../windows}/image_load_side_load_scm.yml     |  6 ++++-
 ...ile_event_win_create_non_existent_dlls.yml |  4 +++-
 ...image_load_side_load_non_existent_dlls.yml |  2 +-
 .../image_load_side_load_svchost_dlls.yml     |  6 +++--
 ...> proc_creation_win_hktl_sharpevtmute.yml} |  3 ++-
 ...s.yml => proc_creation_win_hktl_uacme.yml} |  0
 .../proc_creation_win_lolbin_susp_wsl.yml     |  2 +-
 ... proc_creation_win_persistence_wpbbin.yml} |  0
 ...ershell_hide_services_via_set_service.yml} |  0
 ...reation_win_powershell_x509enrollment.yml} |  0
 ...c_creation_win_pua_webbrowserpassview.yml} |  5 ++--
 ...change_sevice_image_path_by_non_admin.yml} |  0
 ... => proc_creation_win_sc_hide_sevices.yml} |  0
 ...c_creation_win_uac_bypass_trustedpath.yml} |  0
 ...eation_win_web_request_cmd_and_cmdlets.yml |  2 +-
 ...ion_win_windows_terminal_susp_children.yml |  6 +++--
 ...tion_win_wsl_child_processes_anomalies.yml |  2 +-
 ...ion_win_wsl_windows_binaries_execution.yml | 23 +++++++++++++++++++
 ...reation_win_wusa_cab_files_extraction.yml} |  0
 ..._cab_files_extraction_from_susp_paths.yml} |  0
 20 files changed, 48 insertions(+), 13 deletions(-)
 rename {rules/windows/image_load => rules-deprecated/windows}/image_load_side_load_scm.yml (89%)
 rename rules/windows/process_creation/{proc_creation_win_sysmon_disable_sharpevtmute.yml => proc_creation_win_hktl_sharpevtmute.yml} (91%)
 rename rules/windows/process_creation/{proc_creation_win_hktl_uacme_uac_bypass.yml => proc_creation_win_hktl_uacme.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_wpbbin_persistence.yml => proc_creation_win_persistence_wpbbin.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_using_set_service_to_hide_services.yml => proc_creation_win_powershell_hide_services_via_set_service.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_x509enrollment.yml => proc_creation_win_powershell_x509enrollment.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_webbrowserpassview.yml => proc_creation_win_pua_webbrowserpassview.yml} (64%)
 rename rules/windows/process_creation/{proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml => proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_using_sc_to_hide_sevices.yml => proc_creation_win_sc_hide_sevices.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_susp_uac_bypass_trustedpath.yml => proc_creation_win_uac_bypass_trustedpath.yml} (100%)
 create mode 100644 rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml
 rename rules/windows/process_creation/{proc_creation_win_wusa_susp_cab_extraction.yml => proc_creation_win_wusa_cab_files_extraction.yml} (100%)
 rename rules/windows/process_creation/{proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml => proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml} (100%)

diff --git a/rules/windows/image_load/image_load_side_load_scm.yml b/rules-deprecated/windows/image_load_side_load_scm.yml
similarity index 89%
rename from rules/windows/image_load/image_load_side_load_scm.yml
rename to rules-deprecated/windows/image_load_side_load_scm.yml
index 1f311e422..2af7d5512 100644
--- a/rules/windows/image_load/image_load_side_load_scm.yml
+++ b/rules-deprecated/windows/image_load_side_load_scm.yml
@@ -1,12 +1,16 @@
 title: SCM DLL Sideload
 id: bc3cc333-48b9-467a-9d1f-d44ee594ef48
-status: experimental
+related:
+    - id: 602a1f13-c640-4d73-b053-be9a2fa58b77
+      type: similar
+status: deprecated
 description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
 references:
     - https://decoded.avast.io/martinchlumecky/png-steganography/
     - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/12/01
+modified: 2023/02/14
 tags:
     - attack.defense_evasion
     - attack.persistence
diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml
index ebf54c4c2..2463417e0 100644
--- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml
+++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml
@@ -1,7 +1,7 @@
 title: Creation Of Non-Existent DLLs In System Folders
 id: df6ecb8b-7822-4f4b-b412-08f524b4576c
 related:
-    - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
+    - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
       type: similar
 status: experimental
 description: Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking
@@ -30,6 +30,8 @@ detection:
             - 'C:\Windows\System32\TSMSISrv.dll'
             - 'C:\Windows\System32\TSVIPSrv.dll'
             - 'C:\Windows\System32\wow64log.dll'
+            - 'C:\Windows\System32\WptsExtensions.dll'
+            - 'C:\Windows\System32\wbem\wbemcomn.dll'
     filter:
         Image|startswith: 'C:\Windows\System32\'
     condition: selection and not filter
diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml
index f1f5f1fd4..e9ce6fbd2 100644
--- a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml
+++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml
@@ -1,7 +1,7 @@
 title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders
 id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
 related:
-    - id: df6ecb8b-7822-4f4b-b412-08f524b4576c
+    - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule
       type: similar
 status: experimental
 description: Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation
diff --git a/rules/windows/image_load/image_load_side_load_svchost_dlls.yml b/rules/windows/image_load/image_load_side_load_svchost_dlls.yml
index f20d30c40..8d4bb2358 100644
--- a/rules/windows/image_load/image_load_side_load_svchost_dlls.yml
+++ b/rules/windows/image_load/image_load_side_load_svchost_dlls.yml
@@ -2,9 +2,11 @@ title: Svchost DLL Search Order Hijack
 id: 602a1f13-c640-4d73-b053-be9a2fa58b77
 status: test
 description: |
-  IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default.
-  An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
+    Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
+    IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default.
+    An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
 references:
+    - https://decoded.avast.io/martinchlumecky/png-steganography/
     - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
 author: SBousseaden
 date: 2019/10/28
diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml
similarity index 91%
rename from rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml
rename to rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml
index d6f4e6e9c..0aa052ba5 100644
--- a/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml
+++ b/rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml
@@ -1,4 +1,4 @@
-title: SharpEvtMute EvtMuteHook Load
+title: HackTool - SharpEvtMute Execution
 id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c
 status: experimental
 description: Detects the use of SharpEvtHook, a tool to tamper with Windows event logs
@@ -6,6 +6,7 @@ references:
     - https://github.com/bats3c/EvtMute
 author: Florian Roth (Nextron Systems)
 date: 2022/09/07
+modified: 2023/02/14
 tags:
     - attack.defense_evasion
     - attack.t1562.002
diff --git a/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_uacme.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml
rename to rules/windows/process_creation/proc_creation_win_hktl_uacme.yml
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml
index 87b1cac52..b0059931c 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml
@@ -1,7 +1,7 @@
 title: Arbitrary Command Execution Using WSL
 id: dec44ca7-61ad-493c-bfd7-8819c5faa09b
 related:
-    - id: 2267fe65-0681-42ad-9a6d-46553d3f3480
+    - id: 2267fe65-0681-42ad-9a6d-46553d3f3480 # Generic susp child processes rules
       type: similar
 status: test
 description: Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands
diff --git a/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml b/rules/windows/process_creation/proc_creation_win_persistence_wpbbin.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml
rename to rules/windows/process_creation/proc_creation_win_persistence_wpbbin.yml
diff --git a/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml b/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml
rename to rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml
diff --git a/rules/windows/process_creation/proc_creation_win_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_x509enrollment.yml
rename to rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml
diff --git a/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml b/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml
similarity index 64%
rename from rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml
rename to rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml
index 5cca29797..ae6042f40 100644
--- a/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml
+++ b/rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml
@@ -1,11 +1,12 @@
-title: Launch WebBrowserPassView Executable
+title: PUA - WebBrowserPassView Execution
 id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513
 status: experimental
-description: Detect use of WebBrowserPassView.exe
+description: Detect execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md
 author: frack113
 date: 2022/08/20
+modified: 2023/02/14
 tags:
     - attack.credential_access
     - attack.t1555.003
diff --git a/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml
rename to rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml
diff --git a/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml b/rules/windows/process_creation/proc_creation_win_sc_hide_sevices.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml
rename to rules/windows/process_creation/proc_creation_win_sc_hide_sevices.yml
diff --git a/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml
rename to rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml
diff --git a/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml
index 5f01e7d62..cd7efa8c0 100644
--- a/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml
+++ b/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml
@@ -8,7 +8,7 @@ related:
     - id: cd5c8085-4070-4e22-908d-a5b3342deb74
       type: obsoletes
 status: test
-description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) viq CommandLine
+description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
 references:
     - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
     - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
diff --git a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml
index 7c50158d1..25663544e 100644
--- a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml
+++ b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml
@@ -7,7 +7,7 @@ references:
     - https://twitter.com/nas_bench/status/1550836225652686848
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/25
-modified: 2023/01/22
+modified: 2023/02/14
 tags:
     - attack.execution
     - attack.persistence
@@ -16,7 +16,9 @@ logsource:
     product: windows
 detection:
     selection_parent:
-        ParentImage|endswith: '\WindowsTerminal.exe'
+        ParentImage|endswith:
+            - '\WindowsTerminal.exe'
+            - '\wt.exe'
     selection_susp:
         - Image|endswith:
             # Add more LOLBINS
diff --git a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml
index 4c06960e0..a0822103e 100644
--- a/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml
+++ b/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml
@@ -1,7 +1,7 @@
 title: WSL Child Process Anomaly
 id: 2267fe65-0681-42ad-9a6d-46553d3f3480
 related:
-    - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b
+    - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b # LOLBIN Rule
       type: derived
 status: experimental
 description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
diff --git a/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml
new file mode 100644
index 000000000..2bcfc5e93
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml
@@ -0,0 +1,23 @@
+title: Windows Binary Executed From WSL
+id: ed825c86-c009-4014-b413-b76003e33d35
+status: experimental
+description: Detects execution of windows binaries from wihthin a WSL instance. This could be used to avoid parent/child relationship detections or similar
+references:
+    - Internal Research
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/02/14
+tags:
+    - attack.execution
+    - attack.defense_evasion
+    - attack.t1202
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|re: '[a-zA-Z]:\\'
+        CurrentDirectory|contains: '\\\\wsl.localhost' # Note: programs not supporting UNC paths (example: cmd.exe). Will default to another location
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml b/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml
rename to rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml
diff --git a/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml
similarity index 100%
rename from rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml
rename to rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml