From 09afae1e66393f5c534a7dd8c9a6d96419f35bd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 14:27:19 +0300 Subject: [PATCH 1/9] Create sysmon_apt_muddywater_dnstunnel.yml Detecting DNS tunnel activity from MuddyWater as in https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ --- .../sysmon_apt_muddywater_dnstunnel.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml new file mode 100644 index 000000000..38a292923 --- /dev/null +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -0,0 +1,26 @@ +title: "Muddywater DNS tunnel method detection" +description: "Detecting DNS tunnel activity from Muddywater" +author: Furkan Caliskan +status: "testing" +references: +- https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ +- https://www.vmray.com/analyses/5ad401c3a568/report/overview.html +tags: +- attack.command_and_control +- attack.t1071 +logsource: + product: "windows" + service: "sysmon" +detection: + selection: + EventID: 1 + Image|endswith: + - '\powershell.exe' + ParentImage|endswith: + - '\excel.exe' + CommandLine|contains: + - 'DataExchange.dll' + condition: selection +falsepositives: +- Unkown +level: medium From bafd6bde5f69f7d519426ac1273de9260b7bf517 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 14:45:10 +0300 Subject: [PATCH 2/9] Convert to process_creation Convert to process_creation --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 38a292923..2c39917ae 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -1,4 +1,4 @@ -title: "Muddywater DNS tunnel method detection" +title: "Muddywater DNS tunnel detection" description: "Detecting DNS tunnel activity from Muddywater" author: Furkan Caliskan status: "testing" @@ -9,8 +9,8 @@ tags: - attack.command_and_control - attack.t1071 logsource: - product: "windows" - service: "sysmon" + category: process_creation + product: windows detection: selection: EventID: 1 From 1c677aa172fbdc42dd2b07fbca4d3cfb33e33815 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 18:13:32 +0300 Subject: [PATCH 3/9] Fix title as in guideline Fix title error as in guideline and other cosmetic changes --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 2c39917ae..13ee8b635 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -1,7 +1,7 @@ -title: "Muddywater DNS tunnel detection" -description: "Detecting DNS tunnel activity from Muddywater" +title: Muddywater DNS tunnel activity +description: Detecting DNS tunnel activity for Muddywater actor author: Furkan Caliskan -status: "testing" +status: testing references: - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html From 0744107fbb3fcf2444d00a8d3539dd1a2ce6bbd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 18:19:08 +0300 Subject: [PATCH 4/9] Deleted EventID part --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 13ee8b635..87b6a254f 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -13,7 +13,6 @@ logsource: product: windows detection: selection: - EventID: 1 Image|endswith: - '\powershell.exe' ParentImage|endswith: From 5e373153ebf64c2d1d4a47e9cbc2a14c356f4ecc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 18:28:37 +0300 Subject: [PATCH 5/9] Title fix --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 87b6a254f..b77e33e3c 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -1,4 +1,4 @@ -title: Muddywater DNS tunnel activity +title: DNS Tunnel Technique from MuddyWater description: Detecting DNS tunnel activity for Muddywater actor author: Furkan Caliskan status: testing From e958a6a9398d0dc32eeb78eccfeeb2dfc0081fe3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 18:34:44 +0300 Subject: [PATCH 6/9] Date added --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index b77e33e3c..e13e7fcaf 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -1,7 +1,8 @@ title: DNS Tunnel Technique from MuddyWater description: Detecting DNS tunnel activity for Muddywater actor -author: Furkan Caliskan -status: testing +author: '@caliskanfurkan_' +status: experimental +date: 2020/06/04 references: - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html From 082696ee84e00d2c1367267f156d31bfb52c415a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Furkan=20=C3=87ALI=C5=9EKAN?= Date: Thu, 4 Jun 2020 18:38:42 +0300 Subject: [PATCH 7/9] Added UUID --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index e13e7fcaf..32004f6e3 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -1,4 +1,5 @@ title: DNS Tunnel Technique from MuddyWater +id: 36222790-0d43-4fe8-86e4-674b27809543 description: Detecting DNS tunnel activity for Muddywater actor author: '@caliskanfurkan_' status: experimental From 04913a4b957697816988fffaa44eaf40a375c944 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Jun 2020 17:20:25 +0200 Subject: [PATCH 8/9] Aligned indentation --- .../sysmon_apt_muddywater_dnstunnel.yml | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 32004f6e3..3cf7b3099 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -5,23 +5,23 @@ author: '@caliskanfurkan_' status: experimental date: 2020/06/04 references: -- https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ -- https://www.vmray.com/analyses/5ad401c3a568/report/overview.html + - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/ + - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html tags: -- attack.command_and_control -- attack.t1071 + - attack.command_and_control + - attack.t1071 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: - - '\powershell.exe' - ParentImage|endswith: - - '\excel.exe' - CommandLine|contains: - - 'DataExchange.dll' + selection: + Image|endswith: + - '\powershell.exe' + ParentImage|endswith: + - '\excel.exe' + CommandLine|contains: + - 'DataExchange.dll' condition: selection falsepositives: -- Unkown -level: medium + - Unkown +level: critical From 7a334a8d8a33d9d2aeeaca34816c4e52b0a87274 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 9 Jun 2020 17:30:54 +0200 Subject: [PATCH 9/9] fix: missed line --- rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml index 3cf7b3099..3bb4c1aae 100644 --- a/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml +++ b/rules/windows/sysmon/sysmon_apt_muddywater_dnstunnel.yml @@ -21,7 +21,7 @@ detection: - '\excel.exe' CommandLine|contains: - 'DataExchange.dll' - condition: selection + condition: selection falsepositives: - Unkown level: critical