From 34e9f0530b69eae43d91c055f2c823001ec201eb Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Mon, 24 Oct 2022 22:57:48 +0200
Subject: [PATCH] Add Inveigh Rules

---
 .../file_event_win_inveigh_artefacts.yml      | 34 +++++++++++++++++++
 .../proc_creation_win_hack_inveigh.yml        | 32 +++++++++++++++++
 2 files changed, 66 insertions(+)
 create mode 100644 rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_hack_inveigh.yml

diff --git a/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml b/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml
new file mode 100644
index 000000000..7f09963f8
--- /dev/null
+++ b/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml
@@ -0,0 +1,34 @@
+title: Inveigh Execution Artefacts
+id: bb09dd3e-2b78-4819-8e35-a7c1b874e449
+status: experimental
+description: Detects the presence and execution of Inveigh via dropped artefacts
+author: Nasreddine Bencherchali
+references:
+    - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs
+    - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs
+    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
+date: 2022/10/24
+tags:
+    - attack.command_and_control
+    - attack.t1219
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        TargetFilename|endswith:
+            - '\Inveigh-Log.txt'
+            - '\Inveigh-Cleartext.txt'
+            - '\Inveigh-NTLMv1Users.txt'
+            - '\Inveigh-NTLMv2Users.txt'
+            - '\Inveigh-NTLMv1.txt'
+            - '\Inveigh-NTLMv2.txt'
+            - '\Inveigh-FormInput.txt'
+            - '\Inveigh.dll'
+            - '\Inveigh.exe'
+            - '\Inveigh.ps1'
+            - '\Inveigh-Relay.ps1'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical
diff --git a/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml b/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml
new file mode 100644
index 000000000..1d8429602
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml
@@ -0,0 +1,32 @@
+title: Inveigh Hack Tool
+id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
+status: experimental
+description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
+author: Nasreddine Bencherchali
+references:
+    - https://github.com/Kevin-Robertson/Inveigh
+    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
+date: 2022/10/24
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: '\Inveigh.exe'
+        - OriginalFileName:
+            - '\Inveigh.exe'
+            - '\Inveigh.dll'
+        - Description: 'Inveigh'
+        - CommandLine|contains:
+            - ' -SpooferIP'
+            - ' -ReplyToIPs '
+            - ' -ReplyToDomains '
+            - ' -ReplyToMACs '
+            - ' -SnifferIP'
+    condition: selection
+falsepositives:
+    - Very unlikely
+level: critical