Merge branch 'master' into aurora-false-positive-fixing

rules/windows/file_event/file_event_susp_exchange_aspx_write.yml

@@ -0,0 +1,26 @@
+title: Suspicious MSExchangeMailboxReplication ASPX Write
+id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9
+status: experimental
+description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
+references:
+    - https://redcanary.com/blog/blackbyte-ransomware/
+author: Florian Roth
+date: 2022/02/25
+tags:
+    - attack.initial_access
+    - attack.t1190
+    - attack.persistence
+    - attack.t1505.003
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        Image|endswith: '\MSExchangeMailboxReplication.exe'
+        TargetFilename|endswith: 
+            - '.aspx'
+            - '.asp'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml

@@ -0,0 +1,27 @@
+title: Hermetic Wiper TG Process Patterns
+id: 2f974656-6d83-4059-bbdf-68ac5403422f
+status: experimental
+description: This rule detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
+author: Florian Roth
+references:
+   - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
+date: 2022/02/25
+logsource:
+   category: process_creation
+   product: windows
+detection:
+   selection1:
+      Image|endswith: 
+         - '\policydefinitions\postgresql.exe'
+   selection2:
+      - CommandLine|contains: 
+         - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp'
+         - ' 1> \\127.0.0.1\ADMIN$\__16'
+      - CommandLine|contains|all:
+         - 'powershell -c '
+         - '\comsvcs.dll MiniDump '
+         - '\winupd.log full'
+   condition: 1 of selection*
+falsepositives:
+   - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_public_folder_parent.yml

@@ -0,0 +1,31 @@
+title: Parent in Public Folder Suspicious Process
+id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a
+status: experimental
+description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder
+author: Florian Roth
+references:
+  - https://redcanary.com/blog/blackbyte-ransomware/
+date: 2022/02/25
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    ParentImage|startswith: 'C:\Users\Public\'
+    CommandLine|contains: 
+      - 'powershell'
+      - 'cmd.exe /c '
+      - 'cmd /c '
+      - 'wscript.exe'
+      - 'cscript.exe'
+      - 'bitsadmin'
+      - 'certutil'
+      - 'mshta.exe'
+  condition: selection
+fields:
+  - ComputerName
+  - User
+  - CommandLine
+falsepositives:
+  - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml

@@ -0,0 +1,29 @@
+title: BlackByte Ransomware Patterns
+id: 999e8307-a775-4d5f-addc-4855632335be
+status: experimental
+description: This command line patterns found in BlackByte Ransomware operations
+author: Florian Roth
+references:
+  - https://redcanary.com/blog/blackbyte-ransomware/
+date: 2022/02/25
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection1:
+    Image|startswith: 'C:\Users\Public\'
+    CommandLine|contains: ' -single '
+  selection2:
+    CommandLine|contains:
+      - 'del C:\Windows\System32\Taskmgr.exe'
+      - ';Set-Service -StartupType Disabled $'
+      - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('
+      - ' do start wordpad.exe /p '
+  condition: 1 of selection*
+fields:
+  - ComputerName
+  - User
+  - CommandLine
+falsepositives:
+  - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml

@@ -6,7 +6,7 @@ references:
     - https://twitter.com/mrd0x/status/1481630810495139841?s=12
 author: Tim Shelton, Florian Roth
 date: 2022/01/13
-modified: 2022/01/27
+modified: 2022/02/25
 logsource:
     category: process_creation
     product: windows
@@ -21,6 +21,9 @@ detection:
     filter_iexplorer:
         ParentImage|endswith: ':\Program Files\Internet Explorer\iexplore.exe'
         CommandLine|contains: '.cpl'
+    filter_msiexec:
+        ParentImage|endswith: ':\Windows\SysWOW64\msiexec.exe'
+        CommandLine|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding'
     condition: selection and not 1 of filter*
 fields:
     - Image

rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml

@@ -0,0 +1,25 @@
+title: ScreenConnect Backstage Mode Anomaly
+id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
+description: Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode
+status: experimental
+references:
+   - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
+   - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
+tags:
+   - attack.command_and_control
+   - attack.t1219
+author: Florian Roth
+date: 2022/02/25
+logsource:
+   product: windows
+   category: process_creation
+detection:
+   selection:
+      ParentImage|endswith: 'ScreenConnect.ClientService.exe'
+      Image|endswith:
+         - '\cmd.exe'
+         - '\powershell.exe'
+   condition: selection
+falsepositives:
+   - Case in which administrators are allowed to use ScreenConnect's Backstage mode
+level: high

rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml

@@ -0,0 +1,67 @@
+title: CrackMapExec Command Line Flags
+id: 42a993dd-bb3e-48c8-b372-4d6684c4106c
+status: experimental
+description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
+author: Florian Roth
+references:
+  - https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local
+  - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
+  - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz
+  - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject
+date: 2022/02/25
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection_special:
+    CommandLine|contains:
+      - ' -M pe_inject '
+  selection_execute:
+    CommandLine|contains|all:
+      - ' --local-auth'
+      - ' -u '
+      - ' -x '
+  selection_hash:
+    CommandLine|contains|all:
+      - ' --local-auth'
+      - ' -u '
+      - ' -p '
+      - " -H 'NTHASH'"
+  selection_module_mssql:
+    CommandLine|contains|all:
+      - ' mssql '
+      - ' -u '
+      - ' -p '
+      - ' -M '
+      - ' -d '
+  selection_module_smb1:
+    CommandLine|contains|all:
+      - ' smb '
+      - ' -u '
+      - ' -H '
+      - ' -M '
+      - ' -o '
+  selection_module_smb2:
+    CommandLine|contains|all:
+      - ' smb '
+      - ' -u '
+      - ' -p '
+      - ' --local-auth'
+  part_localauth_1:
+    CommandLine|contains|all:
+      - ' --local-auth'
+      - ' -u '
+      - ' -p '
+  part_localauth_2:
+    CommandLine|contains|all:
+      - ' 10.'
+      - ' 192.168.'
+      - '/24 '
+  condition: 1 of selection* or all of part_localauth*
+fields:
+  - ComputerName
+  - User
+  - CommandLine
+falsepositives:
+  - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml

@@ -8,20 +8,20 @@ references:
   - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
   - https://twitter.com/bryon_/status/975835709587075072
 date: 2020/10/10
-modified: 2021/11/27
+modified: 2022/02/25
 logsource:
   category: process_creation
   product: windows
 detection:
-  selection1:
+  selection_1:
     Image|endswith: '\sqlps.exe'
-  selection2:
+  selection_2:
     ParentImage|endswith: '\sqlps.exe'
-  selection3:
+  selection_3:
     OriginalFileName: '\sqlps.exe'
-  reduction:
+  filter:
     ParentImage|endswith: '\sqlagent.exe'
-  condition: selection1 or selection2 or selection3 and not reduction
+  condition: 1 of selection_* and not filter
 falsepositives:
   - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
 level: medium

rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml

@@ -7,20 +7,20 @@ references:
   - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml
   - https://twitter.com/pabraeken/status/993298228840992768
 date: 2020/10/13
-modified: 2021/11/27
+modified: 2022/02/25
 logsource:
   category: process_creation
   product: windows
 detection:
-  selection1:
+  selection_1:
     Image|endswith: '\sqltoolsps.exe'
-  selection2:
+  selection_2:
     ParentImage|endswith: '\sqltoolsps.exe'
-  selection3:
+  selection_3:
     OriginalFileName: '\sqltoolsps.exe'
-  reduction:
+  filter:
     ParentImage|endswith: '\smss.exe'
-  condition: selection1 or selection2 or selection3 and not reduction
+  condition: 1 of selection_* and not filter
 falsepositives:
   - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
 level: medium

rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml

@@ -0,0 +1,19 @@
+title: Suspicious Windows Update Agent Empty Cmdline
+id: 52d097e2-063e-4c9c-8fbb-855c8948d135
+status: experimental
+description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
+author: Florian Roth
+references:
+    - https://redcanary.com/blog/blackbyte-ransomware/
+date: 2022/02/26
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\Wuauclt.exe'
+        CommandLine|endswith: '\Wuauclt.exe' 
+    condition: selection
+falsepositives:
+    - Unknown
+level: high