Merge pull request #3595 from SigmaHQ/rule-devel

rule: extended susp adfind rule, rule: susp wermgr process patterns

rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml

@@ -0,0 +1,45 @@
+title: Silence.EDA Detection
+id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
+status: test
+description: Detects Silence EmpireDNSAgent as described in the Group-IP report
+author: Alina Stepchenkova, Group-IB, oscd.community
+date: 2019/11/01
+modified: 2022/10/05
+references:
+    - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
+logsource:
+    product: windows
+    service: powershell
+detection:
+    empire:
+        # better to randomise the order
+        ScriptBlockText|contains|all:
+            - 'System.Diagnostics.Process'
+            - 'Stop-Computer'
+            - 'Restart-Computer'
+            - 'Exception in execution'
+            - '$cmdargs'
+            - 'Close-Dnscat2Tunnel'
+    dnscat:
+        # better to randomise the order
+        ScriptBlockText|contains|all:
+            - 'set type=$LookupType`nserver'
+            - '$Command | nslookup 2>&1 | Out-String'
+            - 'New-RandomDNSField'
+            - '[Convert]::ToString($SYNOptions, 16)'
+            - '$Session.Dead = $True'
+            - '$Session["Driver"] -eq'
+    condition: empire and dnscat
+falsepositives:
+    - Unknown
+level: critical
+tags:
+    - attack.execution
+    - attack.t1059.001
+    - attack.command_and_control
+    - attack.t1071.004
+    - attack.t1572
+    - attack.impact
+    - attack.t1529
+    - attack.g0091
+    - attack.s0363