From 33be089ea2acd6ce36e971fe2af8b6119fdaa42b Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 7 Sep 2021 09:16:35 +0200
Subject: [PATCH] fix: filename to lowercase

---
 .../auditd/lnx_auditd_susp_c2_commands.yml    | 21 ++++++++++++++
 .../powershell_cl_Invocation_lolscript.yml    | 27 +++++++++++++++++
 .../powershell_cl_Invocation_lolscript_v2.yml | 29 +++++++++++++++++++
 ...powershell_cl_Mutexverifiers_lolscript.yml | 27 +++++++++++++++++
 ...ershell_cl_Mutexverifiers_lolscript_v2.yml | 29 +++++++++++++++++++
 5 files changed, 133 insertions(+)
 create mode 100644 rules/linux/auditd/lnx_auditd_susp_c2_commands.yml
 create mode 100644 rules/windows/powershell/powershell_cl_Invocation_lolscript.yml
 create mode 100644 rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml
 create mode 100644 rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml
 create mode 100644 rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml

diff --git a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml
new file mode 100644
index 000000000..8b1456068
--- /dev/null
+++ b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml
@@ -0,0 +1,21 @@
+title: Suspicious C2 Activities
+id: f7158a64-6204-4d6d-868a-6e6378b467e0
+status: experimental
+description: Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
+author: Marie Euler
+references:
+    - 'https://github.com/Neo23x0/auditd'
+date: 2020/05/18
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        key:
+            - 'susp_activity'
+    condition: selection
+falsepositives:
+    - Admin or User activity
+level: medium
+tags:
+    - attack.command_and_control
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml b/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml
new file mode 100644
index 000000000..3976c19fb
--- /dev/null
+++ b/rules/windows/powershell/powershell_cl_Invocation_lolscript.yml
@@ -0,0 +1,27 @@
+title: Execution via CL_Invocation.ps1
+id: 4cd29327-685a-460e-9dac-c3ab96e549dc
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+    - https://twitter.com/bohops/status/948061991012327424
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+logsource:
+    product: windows
+    service: powershell
+    definition: 'Script block logging must be enabled'
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains|all:
+          - 'CL_Invocation.ps1'
+          - 'SyncInvoke'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml
new file mode 100644
index 000000000..5cd1d3add
--- /dev/null
+++ b/rules/windows/powershell/powershell_cl_Invocation_lolscript_v2.yml
@@ -0,0 +1,29 @@
+title: Execution via CL_Invocation.ps1 (2 Lines)
+id: f588e69b-0750-46bb-8f87-0e9320d57536
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+    - https://twitter.com/bohops/status/948061991012327424
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+logsource:
+    product: windows
+    service: powershell
+    definition: 'Script block logging must be enabled'
+detection:
+    selection2:
+        EventID: 4104
+        ScriptBlockText|contains:
+          - 'CL_Invocation.ps1'
+          - 'SyncInvoke'
+    condition: selection2 | count(ScriptBlockText) by Computer > 2
+      # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1
+      # PS > SyncInvoke c:\Evil.exe
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml
new file mode 100644
index 000000000..a9e742a2d
--- /dev/null
+++ b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript.yml
@@ -0,0 +1,27 @@
+title: Execution via CL_Mutexverifiers.ps1
+id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+    - https://twitter.com/pabraeken/status/995111125447577600
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+logsource:
+    product: windows
+    service: powershell
+    definition: 'Script block logging must be enabled'
+detection:
+    selection:
+        EventID: 4104
+        ScriptBlockText|contains|all:
+          - 'CL_Mutexverifiers.ps1'
+          - 'runAfterCancelProcess'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml
new file mode 100644
index 000000000..8a0fa3a33
--- /dev/null
+++ b/rules/windows/powershell/powershell_cl_Mutexverifiers_lolscript_v2.yml
@@ -0,0 +1,29 @@
+title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
+id: 6609c444-9670-4eab-9636-fe4755a851ce
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
+status: experimental
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/05/21
+references:
+    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+    - https://twitter.com/pabraeken/status/995111125447577600
+tags:
+    - attack.defense_evasion
+    - attack.t1216
+logsource:
+    product: windows
+    service: powershell
+    definition: 'Script block logging must be enabled'
+detection:
+    selection2:
+        EventID: 4104
+        ScriptBlockText|contains:
+          - 'CL_Mutexverifiers.ps1'
+          - 'runAfterCancelProcess'
+    condition: selection2 | count(ScriptBlockText) by Computer > 2
+      # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
+      # PS > runAfterCancelProcess c:\Evil.exe
+falsepositives:
+    - Unknown
+level: high