feat: add emerging-threat rules related to mint-sandstorm

rules-emerging-threats/2023/Mint-Sandstorm/README.md

@@ -0,0 +1,9 @@
+# Mint Sandstorm / PHOSPHORUS
+
+## Summary
+
+On April 18th 2023 Microsoft Threat Intelligence team reported on a new nation state activity they're tracking as Mint Sandstorm (previously tracked as PHOSPHORUS).
+
+You can find more information on the threat in the following articles:
+
+- [Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets](https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/)

rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml

@@ -0,0 +1,115 @@
+title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution
+id: 91048c0d-5b81-4b85-a099-c9ee4fb87979
+status: test
+description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
+references:
+    - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
+author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
+date: 2023/04/20
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent:
+        ParentImage|contains|all:
+            - 'aspera'
+            - '\ruby'
+    selection_special_child_powershell_img:
+        Image|endswith:
+            - '\powershell.exe'
+            - '\powershell_ise.exe'
+    selection_special_child_powershell_cli:
+        - CommandLine|contains:
+            - ' echo '
+            - '-dumpmode'
+            - '-ssh'
+            - '.dmp'
+            - 'add-MpPreference'
+            - 'adscredentials'
+            - 'bitsadmin'
+            - 'certutil'
+            - 'csvhost.exe'
+            - 'DownloadFile'
+            - 'DownloadString'
+            - 'dsquery'
+            - 'ekern.exe'
+            - 'FromBase64String'
+            - 'iex '
+            - 'iex('
+            - 'Invoke-Expression'
+            - 'Invoke-WebRequest'
+            - 'localgroup administrators'
+            - 'net group'
+            - 'net user'
+            - 'o365accountconfiguration'
+            - 'query session'
+            - 'samaccountname='
+            - 'set-MpPreference'
+            - 'svhost.exe'
+            - 'System.IO.Compression'
+            - 'System.IO.MemoryStream'
+            - 'usoprivate'
+            - 'usoshared'
+            - 'whoami'
+        - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
+    selection_special_child_lsass_1:
+        CommandLine|contains: 'lsass'
+    selection_special_child_lsass_2:
+        CommandLine|contains:
+            - 'procdump'
+            - 'tasklist'
+            - 'findstr'
+    selection_child_wget:
+        Image|endswith: '\wget.exe'
+        CommandLine|contains: 'http'
+    selection_child_curl:
+        Image|endswith: '\curl.exe'
+        CommandLine|contains: 'http'
+    selection_child_script:
+        CommandLine|contains:
+            - 'E:jscript'
+            - 'e:vbscript'
+    selection_child_localgroup:
+        CommandLine|contains|all:
+            - 'localgroup Administrators'
+            - '/add'
+    selection_child_net:
+        CommandLine|contains:
+            - 'net' # Covers net1
+        CommandLine|contains|all:
+            - 'user'
+            - '/add'
+    selection_child_reg:
+        - CommandLine|contains|all:
+            - 'reg add'
+            - 'DisableAntiSpyware'
+            - '\Microsoft\Windows Defender'
+        - CommandLine|contains|all:
+            - 'reg add'
+            - 'DisableRestrictedAdmin'
+            - 'CurrentControlSet\Control\Lsa'
+    selection_child_wmic_1:
+        CommandLine|contains|all:
+            - 'wmic'
+            - 'process call create'
+    selection_child_wmic_2:
+        CommandLine|contains|all:
+            - 'wmic'
+            - 'delete'
+            - 'shadowcopy'
+    selection_child_vssadmin:
+        CommandLine|contains|all:
+            - 'vssadmin'
+            - 'delete'
+            - 'shadows'
+    selection_child_wbadmin:
+        CommandLine|contains|all:
+            - 'wbadmin'
+            - 'delete'
+            - 'catalog'
+    condition: all of selection_parent_path and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)
+falsepositives:
+    - Unlikely
+level: critical

rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4J_wstomcat_execution.yml

@@ -0,0 +1,21 @@
+title: Mint Sandstorm - Log4J Wstomcat Process Execution
+id: 7c97c625-0350-4f0a-8943-f6cadc88125e
+status: test
+description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
+references:
+    - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
+author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
+date: 2023/04/20
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage|endswith: '\ws_tomcatservice.exe'
+        Image|endswith: '\repadmin.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml

@@ -0,0 +1,122 @@
+title: Mint Sandstorm - ManageEngine Suspicious Process Execution
+id: 58d8341a-5849-44cd-8ac8-8b020413a31b
+status: test
+description: Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
+references:
+    - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
+author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
+date: 2023/04/20
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_parent_path:
+        ParentImage|contains:
+            - 'manageengine'
+            - 'ServiceDesk'
+    selection_parent_image:
+        ParentImage|contains: '\java'
+    selection_special_child_powershell_img:
+        Image|endswith:
+            - '\powershell.exe'
+            - '\powershell_ise.exe'
+    selection_special_child_powershell_cli:
+        - CommandLine|contains:
+            - ' echo '
+            - '-dumpmode'
+            - '-ssh'
+            - '.dmp'
+            - 'add-MpPreference'
+            - 'adscredentials'
+            - 'bitsadmin'
+            - 'certutil'
+            - 'csvhost.exe'
+            - 'DownloadFile'
+            - 'DownloadString'
+            - 'dsquery'
+            - 'ekern.exe'
+            - 'FromBase64String'
+            - 'iex '
+            - 'iex('
+            - 'Invoke-Expression'
+            - 'Invoke-WebRequest'
+            - 'localgroup administrators'
+            - 'net group'
+            - 'net user'
+            - 'o365accountconfiguration'
+            - 'query session'
+            - 'samaccountname='
+            - 'set-MpPreference'
+            - 'svhost.exe'
+            - 'System.IO.Compression'
+            - 'System.IO.MemoryStream'
+            - 'usoprivate'
+            - 'usoshared'
+            - 'whoami'
+        - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
+    selection_special_child_lsass_1:
+        CommandLine|contains: 'lsass'
+    selection_special_child_lsass_2:
+        CommandLine|contains:
+            - 'procdump'
+            - 'tasklist'
+            - 'findstr'
+    selection_child_wget:
+        Image|endswith: '\wget.exe'
+        CommandLine|contains: 'http'
+    selection_child_curl:
+        Image|endswith: '\curl.exe'
+        CommandLine|contains: 'http'
+    selection_child_script:
+        CommandLine|contains:
+            - 'E:jscript'
+            - 'e:vbscript'
+    selection_child_localgroup:
+        CommandLine|contains|all:
+            - 'localgroup Administrators'
+            - '/add'
+    selection_child_net:
+        CommandLine|contains:
+            - 'net' # Covers net1
+        CommandLine|contains|all:
+            - 'user'
+            - '/add'
+    selection_child_reg:
+        - CommandLine|contains|all:
+            - 'reg add'
+            - 'DisableAntiSpyware'
+            - '\Microsoft\Windows Defender'
+        - CommandLine|contains|all:
+            - 'reg add'
+            - 'DisableRestrictedAdmin'
+            - 'CurrentControlSet\Control\Lsa'
+    selection_child_wmic_1:
+        CommandLine|contains|all:
+            - 'wmic'
+            - 'process call create'
+    selection_child_wmic_2:
+        CommandLine|contains|all:
+            - 'wmic'
+            - 'delete'
+            - 'shadowcopy'
+    selection_child_vssadmin:
+        CommandLine|contains|all:
+            - 'vssadmin'
+            - 'delete'
+            - 'shadows'
+    selection_child_wbadmin:
+        CommandLine|contains|all:
+            - 'wbadmin'
+            - 'delete'
+            - 'catalog'
+    filter_main:
+        CommandLine|contains|all:
+            - 'download.microsoft.com'
+            - 'manageengine.com'
+            - 'msiexec'
+    condition: all of selection_parent_path and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main
+falsepositives:
+    - Unlikely
+level: critical