From d8ff3339aa416ec9924041e3bd03f7d5517f81ad Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Thu, 29 Sep 2022 13:31:16 +0200
Subject: [PATCH 1/3] antSword webshell

---
 rules/proxy/proxy_ua_malware.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/proxy/proxy_ua_malware.yml b/rules/proxy/proxy_ua_malware.yml
index 793bf6d05..b448d4123 100644
--- a/rules/proxy/proxy_ua_malware.yml
+++ b/rules/proxy/proxy_ua_malware.yml
@@ -10,7 +10,7 @@ references:
   - https://perishablepress.com/blacklist/ua-2013.txt
   - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
 date: 2017/07/08
-modified: 2022/09/05
+modified: 2022/09/29
 logsource:
   category: proxy
 detection:
@@ -76,6 +76,7 @@ detection:
       - 'mozzzzzzzzzzz'  # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
       - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0'  # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
       - 'Havana/0.1'  # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
+      - 'antSword/v2.1'  # AntSword Webshell UA
   condition: selection
 fields:
   - ClientIP

From 65f531fb302048d5aa79d853bcd6e91b5849dcf2 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 1 Oct 2022 16:08:27 +0200
Subject: [PATCH 2/3] rule: Exchange Exploitation

---
 .../file_event_win_exchange_webshell_drop.yml | 32 +++++++++++++++++
 .../proc_creation_win_webshell_chopper.yml    | 35 +++++++++++++++++++
 2 files changed, 67 insertions(+)
 create mode 100644 rules/windows/file_event/file_event_win_exchange_webshell_drop.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_webshell_chopper.yml

diff --git a/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml b/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml
new file mode 100644
index 000000000..4bb3b6cc8
--- /dev/null
+++ b/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml
@@ -0,0 +1,32 @@
+title: Suspicious ASPX File Drop by Exchange
+id: bd1212e5-78da-431e-95fa-c58e3237a8e6
+description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
+author: Florian Roth (rule), MSTI (query, idea)
+status: experimental
+references:
+   - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
+   - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
+   - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
+date: 2022/10/01
+tags:
+   - attack.persistence
+   - attack.t1505.003
+logsource:
+   product: windows
+   category: file_event
+detection:
+   selection:
+      Image|endswith: '\w3wp.exe'
+      CommandLine|contains: 'MSExchange'
+      TargetFilename|contains:
+         - 'FrontEnd\HttpProxy\'              # from GTSC and MSTI reports
+         - '\inetpub\wwwroot\aspnet_client\'  # from GTSC report
+   selection_types:
+      TargetFilename|endswith:
+         - '.aspx'
+         - '.asp'
+         - '.ashx'
+   condition:
+falsepositives:
+   - Unknown
+level: high
diff --git a/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml
new file mode 100644
index 000000000..7cc10f069
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml
@@ -0,0 +1,35 @@
+title: Chopper Webshell Process Pattern
+id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
+description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
+author: Florian Roth (rule), MSTI (query)
+status: experimental
+references:
+    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
+date: 2022/10/01
+tags:
+    - attack.persistence
+    - attack.t1505.003
+    - attack.t1018
+    - attack.t1033
+    - attack.t1087
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_origin:
+        - Image|endswith: '\w3wp.exe'
+        - ParentImage|endswith: '\w3wp.exe'
+    selection_cmdline:
+        CommandLine|contains:
+            - '&ipconfig&echo'
+            - '&quser&echo'
+            - '&whoami&echo'
+            - '&c:&echo'
+            - '&cd&echo'
+            - '&dir&echo'
+            - '&echo [E]'
+            - '&echo [S]'
+    condition: all of selection*
+falsepositives:
+    - Unknown
+level: high

From 626a362e8f94a145cf86a56385d0b3c0230ed789 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 1 Oct 2022 16:09:53 +0200
Subject: [PATCH 3/3] fix: missing condition

---
 .../file_event/file_event_win_exchange_webshell_drop.yml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml b/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml
index 4bb3b6cc8..c924dd891 100644
--- a/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml
+++ b/rules/windows/file_event/file_event_win_exchange_webshell_drop.yml
@@ -26,7 +26,7 @@ detection:
          - '.aspx'
          - '.asp'
          - '.ashx'
-   condition:
+   condition: all of selection*
 falsepositives:
    - Unknown
 level: high