From 5b60e0ea5ab8e1dc56fe371f4be3bc48f9592c0b Mon Sep 17 00:00:00 2001
From: Max Altgelt <max.altgelt@nextron-systems.com>
Date: Mon, 16 Aug 2021 09:10:05 +0200
Subject: [PATCH] feat: Add some rules to detect Conti behaviour

Add rules based on the leaks from the Conti group to detect
malicious behaviour.
---
 .../powershell_invoke_nightmare.yml           | 21 +++++++++++++++
 ...shell_shellintel_malicious_commandlets.yml | 27 +++++++++++++++++++
 .../process_creation/win_malware_conti.yml    | 24 +++++++++++++++++
 .../win_malware_conti_7zip.yml                | 20 ++++++++++++++
 .../win_malware_conti_shadowcopy.yml          | 25 +++++++++++++++++
 .../win_susp_cmd_shadowcopy_access.yml        | 19 +++++++++++++
 6 files changed, 136 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_invoke_nightmare.yml
 create mode 100644 rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml
 create mode 100644 rules/windows/process_creation/win_malware_conti.yml
 create mode 100644 rules/windows/process_creation/win_malware_conti_7zip.yml
 create mode 100644 rules/windows/process_creation/win_malware_conti_shadowcopy.yml
 create mode 100644 rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml

diff --git a/rules/windows/powershell/powershell_invoke_nightmare.yml b/rules/windows/powershell/powershell_invoke_nightmare.yml
new file mode 100644
index 000000000..790778afe
--- /dev/null
+++ b/rules/windows/powershell/powershell_invoke_nightmare.yml
@@ -0,0 +1,21 @@
+title: PrintNightmare Powershell Exploitation
+id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
+status: experimental
+description: Detects Commandlet name for PrintNightmare exploitation.
+date: 2021/08/09
+references:
+    - https://github.com/calebstewart/CVE-2021-1675
+author: Max Altgelt, Tobias Michalski
+logsource:
+    product: windows
+    service: powershell
+    definition: It is recommended to use the new "Script Block Logging" of PowerShell v5.
+detection:
+  selection:
+      EventID: 4104
+      ScriptBlockText:
+        - Invoke-Nightmare
+  condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml
new file mode 100644
index 000000000..e65c3c23b
--- /dev/null
+++ b/rules/windows/powershell/powershell_shellintel_malicious_commandlets.yml
@@ -0,0 +1,27 @@
+title: Malicious ShellIntel PowerShell Commandlets
+id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
+status: experimental
+description: Detects Commandlet names from ShellIntel exploitation scripts.
+date: 2021/08/09
+references:
+    - https://github.com/Shellntel/scripts/
+tags:
+    - attack.execution
+    - attack.t1059.001
+author: Max Altgelt, Tobias Michalski
+logsource:
+    product: windows
+    service: powershell
+    definition: It is recommended to use the new "Script Block Logging" of PowerShell v5.
+detection:
+  selection:
+      EventID: 4104
+      ScriptBlockText:
+        - Invoke-SMBAutoBrute
+        - Invoke-GPOLinks
+        - Out-Minidump
+        - Invoke-Potato
+  condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_malware_conti.yml b/rules/windows/process_creation/win_malware_conti.yml
new file mode 100644
index 000000000..7e3e32d44
--- /dev/null
+++ b/rules/windows/process_creation/win_malware_conti.yml
@@ -0,0 +1,24 @@
+title: Conti Volume Shadow Listing
+id: 7b30e0a7-c675-4b24-8a46-82fa67e2433d
+description: Detects a command used by conti to find volume shadow backups
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+status: experimental
+references:
+    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - 'vssadmin list shadows'
+            - 'log.txt'
+    condition: 1 of them
+fields:
+    - User
+    - CommandLine
+    - ParentImage
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_malware_conti_7zip.yml b/rules/windows/process_creation/win_malware_conti_7zip.yml
new file mode 100644
index 000000000..4023e89bd
--- /dev/null
+++ b/rules/windows/process_creation/win_malware_conti_7zip.yml
@@ -0,0 +1,20 @@
+title: Conti Volume Shadow Listing
+id: aa92fd02-09f2-48b0-8a93-864813fb8f41
+description: Detects a command used by conti to exfiltrate NTDS
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+status: experimental
+references:
+    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_1:
+        CommandLine|contains|all:
+            - '7za.exe'
+            - '\\C$\\temp\\log.zip'
+    condition: all of them
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml
new file mode 100644
index 000000000..babdb8d3d
--- /dev/null
+++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml
@@ -0,0 +1,25 @@
+title: Conti Volume Shadow Listing
+id: c73124a7-3e89-44a3-bdc1-25fe4df754b1
+description: Detects a command used by conti to access volume shadow backups
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+status: experimental
+references:
+    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_1:
+        CommandLine|contains:
+            - '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
+    selection_2:
+        CommandLine|contains:
+            - '\\NTDS.dit'
+            - '\\SYSTEM'
+            - '\\SECURITY'
+            - 'C:\\tmp\\log'
+    condition: all of them
+falsepositives:
+    - Some rare backup scenarios
+level: medium
diff --git a/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml
new file mode 100644
index 000000000..14509d5ea
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml
@@ -0,0 +1,19 @@
+title: Conti Volume Shadow Listing
+id: c73124a7-3e89-44a3-bdc1-25fe4df754b1
+description: Detects a command used by conti to access volume shadow backups
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+status: experimental
+references:
+    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_1:
+        CommandLine|contains:
+            - 'copy \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
+    condition: all of them
+falsepositives:
+    - Some rare backup scenarios
+level: medium