From 3fffd6a8f39357607daaa22da11390abcd698e57 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 12 Aug 2022 17:12:35 +0100
Subject: [PATCH] Create
 proc_creation_win_wab_execution_from_non_default_location.yml

---
 ...ab_execution_from_non_default_location.yml | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml

diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml
new file mode 100644
index 000000000..601a65f63
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml
@@ -0,0 +1,27 @@
+title: Wab Execution From Non Default Location
+id: 395907ee-96e5-4666-af2e-2ca91688e151
+status: experimental
+description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity
+references:
+    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
+    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
+author: Nasreddine Bencherchali
+date: 2022/08/12
+tags:
+    - attack.defense_evasion
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\wab.exe'
+    filter:
+        Image|startswith:
+            - 'C:\Windows\WinSxS\'
+            - 'C:\Program Files\Windows Mail\'
+            - 'C:\Program Files (x86)\Windows Mail\'
+    condition: selection and not filter
+falsepositives:
+    - Unlikely
+level: high