Merge pull request #3547 from SigmaHQ/rule-devel

rules: Exchange exploitation, antSword UA
2022-10-01 16:16:29 +02:00
parent 76276f5bcb 626a362e8f
commit 3ae076f08d
3 changed files with 69 additions and 1 deletions
@@ -10,7 +10,7 @@ references:
  - https://perishablepress.com/blacklist/ua-2013.txt
  - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
 date: 2017/07/08
-modified: 2022/09/05
+modified: 2022/09/29
 logsource:
  category: proxy
 detection:
@@ -76,6 +76,7 @@ detection:
      - 'mozzzzzzzzzzz'  # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
      - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0'  # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
      - 'Havana/0.1'  # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
+      - 'antSword/v2.1'  # AntSword Webshell UA
  condition: selection
 fields:
  - ClientIP
@@ -0,0 +1,32 @@
+title: Suspicious ASPX File Drop by Exchange
+id: bd1212e5-78da-431e-95fa-c58e3237a8e6
+description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
+author: Florian Roth (rule), MSTI (query, idea)
+status: experimental
+references:
+   - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
+   - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
+   - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
+date: 2022/10/01
+tags:
+   - attack.persistence
+   - attack.t1505.003
+logsource:
+   product: windows
+   category: file_event
+detection:
+   selection:
+      Image|endswith: '\w3wp.exe'
+      CommandLine|contains: 'MSExchange'
+      TargetFilename|contains:
+         - 'FrontEnd\HttpProxy\'              # from GTSC and MSTI reports
+         - '\inetpub\wwwroot\aspnet_client\'  # from GTSC report
+   selection_types:
+      TargetFilename|endswith:
+         - '.aspx'
+         - '.asp'
+         - '.ashx'
+   condition: all of selection*
+falsepositives:
+   - Unknown
+level: high
@@ -0,0 +1,35 @@
+title: Chopper Webshell Process Pattern
+id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
+description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
+author: Florian Roth (rule), MSTI (query)
+status: experimental
+references:
+    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
+date: 2022/10/01
+tags:
+    - attack.persistence
+    - attack.t1505.003
+    - attack.t1018
+    - attack.t1033
+    - attack.t1087
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_origin:
+        - Image|endswith: '\w3wp.exe'
+        - ParentImage|endswith: '\w3wp.exe'
+    selection_cmdline:
+        CommandLine|contains:
+            - '&ipconfig&echo'
+            - '&quser&echo'
+            - '&whoami&echo'
+            - '&c:&echo'
+            - '&cd&echo'
+            - '&dir&echo'
+            - '&echo [E]'
+            - '&echo [S]'
+    condition: all of selection*
+falsepositives:
+    - Unknown
+level: high