From 5508ff45b671ccedccebfdaff84197879eedf0f9 Mon Sep 17 00:00:00 2001 From: Cyb3rEng <88643791+Cyb3rEng@users.noreply.github.com> Date: Mon, 30 Aug 2021 21:47:36 -0600 Subject: [PATCH] Add files via upload --- ...ocess_Creations_by_Office_applications.yml | 39 +++++++++++++++ ...creations_with_Wmiprvse_parent_process.yml | 37 +++++++++++++++ ..._proxy executing_regsvr32_with_payload.yml | 47 +++++++++++++++++++ ...Applications_Spawning_WMI_command-line.yml | 36 ++++++++++++++ 4 files changed, 159 insertions(+) create mode 100644 rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml create mode 100644 rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml create mode 100644 rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml create mode 100644 rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml diff --git a/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml new file mode 100644 index 000000000..6b77a997a --- /dev/null +++ b/rules/windows/process_creation/Monitor_LOLBins_Process_Creations_by_Office_applications.yml @@ -0,0 +1,39 @@ +title: Monitor LOLBins Process Creations by Office applications (Security Event Logs) +description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: security + category: process_creation +detection: + description: add more LOLBins to the rules logic of your choice. + selection1: + EventLog: security + EventID: 4688 + selection2: + NewProcessName|endswith: + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + selection3: + ParentProcessName|endswith: + - winword.exe + - excel.exe + - powerpnt.exe + condition: selection1 AND selection2 AND selection3 +falsepositives: +- "" +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml new file mode 100644 index 000000000..90d5557ee --- /dev/null +++ b/rules/windows/process_creation/Monitor_LOLBins_process_creations_with_Wmiprvse_parent_process.yml @@ -0,0 +1,37 @@ +title: LOLBins process creations with Wmiprvse parent process. (Security Event Logs) +description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: security + category: process_creation +detection: + description: add more LOLBins to the rules logic of your choice. + selection1: + EventLog: security + EventID: 4688 + selection2: + NewProcessName|endswith: + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + selection3: + ParentProcessName|endswith: + - "\\wbem\\WmiPrvSE.exe" + condition: selection1 AND selection2 AND selection3 +falsepositives: +- "" +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml new file mode 100644 index 000000000..b54db391b --- /dev/null +++ b/rules/windows/process_creation/Monitor_Office_Application_from_proxy executing_regsvr32_with_payload.yml @@ -0,0 +1,47 @@ +title: Monitor Excel from proxy executing regsvr32 with payload (Security Event Logs) +description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicous parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: Windows + service: security + category: process_creation +detection: + description: add more LOLBins to the rules logic of your choice. + selection1: + EventLog: security + EventID: 4688 + selection2: + ProcessCommandLine: + - '*regsvr32*' + - '*rundll32*' + - '*msiexec*' + - '*mshta*' + - '*verclsid*' + selection3: + - ProcessName: '*\wbem\WMIC.exe' + - ProcessCommandLine: '*wmic *' + selection4: + ParentProcessName|endswith: + - winword.exe + - excel.exe + - powerpnt.exe + selection5: + processCommandLine|contains|all: + - 'process' + - 'create' + - 'call' + condition: selection1 AND selection2 AND selection3 AND selection4 AND selection5 +falsepositives: +- "" +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml new file mode 100644 index 000000000..df25ef114 --- /dev/null +++ b/rules/windows/process_creation/Monitor_Office_Applications_Spawning_WMI_command-line.yml @@ -0,0 +1,36 @@ +title: Office Applications Spawning WMI command-line (Security Event Logs) +description: Initial execution of malicious document calls wmic to execute the file with regsvr32 +references: +- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: "Idea by: Vadim Khrykov" +tags: +- attack.t1204.002 +- attack.t1047 +- attack.t1218.010 +- attack.execution +- attack.defence_evasion +status: experimental +Date: 2021/23/8 +logsource: + product: windows + service: security + category: process_creation +detection: + description: Add more office applications to the rule logic of choice + selection1: + - EventLog: security + selection2: + - EventID: 4688 + selection3: + - ProcessName: '*\wbem\WMIC.exe' + - ProcessCommandLine: '*wmic *' + selection4: + - ParentProcessName: + - winword.exe + - excel.exe + - powerpnt.exe + condition: selection1 AND selection2 AND selection3 AND selection4 +falsepositives: +- "" +level: high \ No newline at end of file