Merge pull request #3595 from SigmaHQ/rule-devel

rule: extended susp adfind rule, rule: susp wermgr process patterns

rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml

@@ -11,6 +11,7 @@ references:
     - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
     - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
 date: 2022/08/21
+modified: 2022/10/13
 tags:
     - attack.discovery
     - attack.t1018
@@ -21,7 +22,28 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection_1:
+        CommandLine|contains:
+            - 'domainlist'
+            - 'trustdmp'
+            - 'dcmodes'
+            - 'adinfo'
+            - ' dclist '
+            - 'computer_pwdnotreqd'
+            - 'objectcategory='
+            - '-subnets -f'
+            - 'name="Domain Admins"'
+            - '-sc u:'
+            - 'domainncs'
+            - 'dompol'
+            - ' oudmp '
+            - 'subnetdmp'
+            - 'gpodmp'
+            - 'fspdmp'
+            - 'users_noexpire'
+            - 'computers_active'
+            - 'computers_pwdnotreqd'
+    selection_2:
         - Imphash: 
             - bca5675746d13a1f246e2da3c2217492
             - 53e117a96057eaf19c41380d0e87f1c2
@@ -31,7 +53,7 @@ detection:
     filter:
         Image|endswith: '\AdFind.exe'
         OriginalFileName: 'AdFind.exe'
-    condition: selection and not filter
+    condition: 1 of selection* and not filter
 falsepositives:
     - Unknown
 level: high

rules/windows/process_creation/proc_creation_win_susp_wermgr.yml

@@ -0,0 +1,36 @@
+title: Suspicious WERMGR Process Patterns
+id: CBEC226F-63D9-4ECA-9F52-DFB6652F24DF
+status: experimental
+description: Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.
+references:
+   - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
+   - https://www.echotrail.io/insights/search/wermgr.exe
+author: Florian Roth
+date: 2022/10/14
+logsource:
+   category: process_creation
+   product: windows
+detection:
+   selection_img:
+      Image|endswith: '\wermgr.exe'
+   filter_img_location:
+      Image|contains:
+         - 'C:\Windows\System32\'
+         - 'C:\Windows\SysWOW64\'
+   selection_susp_parent:
+      ParentImage|endswith: '\wermgr.exe'
+      Image|endswith:
+         - '\nslookup.exe'
+         - '\ipconfig.exe'
+         - '\net.exe'
+         - '\net1.exe'
+         - '\whoami.exe'
+         - '\netstat.exe'
+         - '\systeminfo.exe'
+         - '\cmd.exe'
+         - '\powershell.exe'
+   condition: selection_img and not filter_img_location
+              or 1 of selection_susp*
+falsepositives:
+   - Unknown
+level: high