diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml index 793bf6d05..b448d4123 100644 --- a/rules/proxy/proxy_ua_malware.yml +++ b/rules/proxy/proxy_ua_malware.yml @@ -10,7 +10,7 @@ references: - https://perishablepress.com/blacklist/ua-2013.txt - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents date: 2017/07/08 -modified: 2022/09/05 +modified: 2022/09/29 logsource: category: proxy detection: @@ -76,6 +76,7 @@ detection: - 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/ - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg - 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update + - 'antSword/v2.1' # AntSword Webshell UA condition: selection fields: - ClientIP diff --git a/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml b/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml new file mode 100644 index 000000000..c924dd891 --- /dev/null +++ b/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml @@ -0,0 +1,32 @@ +title: Suspicious ASPX File Drop by Exchange +id: bd1212e5-78da-431e-95fa-c58e3237a8e6 +description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder +author: Florian Roth (rule), MSTI (query, idea) +status: experimental +references: + - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ + - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html + - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html +date: 2022/10/01 +tags: + - attack.persistence + - attack.t1505.003 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\w3wp.exe' + CommandLine|contains: 'MSExchange' + TargetFilename|contains: + - 'FrontEnd\HttpProxy\' # from GTSC and MSTI reports + - '\inetpub\wwwroot\aspnet_client\' # from GTSC report + selection_types: + TargetFilename|endswith: + - '.aspx' + - '.asp' + - '.ashx' + condition: all of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml new file mode 100644 index 000000000..7cc10f069 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml @@ -0,0 +1,35 @@ +title: Chopper Webshell Process Pattern +id: fa3c117a-bc0d-416e-a31b-0c0e80653efb +description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells +author: Florian Roth (rule), MSTI (query) +status: experimental +references: + - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ +date: 2022/10/01 +tags: + - attack.persistence + - attack.t1505.003 + - attack.t1018 + - attack.t1033 + - attack.t1087 +logsource: + category: process_creation + product: windows +detection: + selection_origin: + - Image|endswith: '\w3wp.exe' + - ParentImage|endswith: '\w3wp.exe' + selection_cmdline: + CommandLine|contains: + - '&ipconfig&echo' + - '&quser&echo' + - '&whoami&echo' + - '&c:&echo' + - '&cd&echo' + - '&dir&echo' + - '&echo [E]' + - '&echo [S]' + condition: all of selection* +falsepositives: + - Unknown +level: high