Merge pull request #3414 from frack113/sysmon14

Add file_event_proxy_dropping_executable

rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml

@@ -0,0 +1,52 @@
+title: Legitimate Application Dropped Archive
+id: 654fcc6d-840d-4844-9b07-2c3300e54a26
+description: Detects programs on a Windows system that should not write an archive to disk
+status: experimental
+author: frack113, Florian Roth
+references:
+    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
+date: 2022/08/21
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        Image|endswith:
+            # Microsoft Office Programs Dropping Executables
+            - \winword.exe
+            - \excel.exe
+            - \powerpnt.exe
+            - \msaccess.exe
+            - \mspub.exe
+            - \eqnedt32.exe
+            - \visio.exe
+            - \wordpad.exe
+            - \wordview.exe
+            # LOLBINs that can be used to download executables
+            - \certutil.exe
+            - \certoc.exe
+            - \CertReq.exe
+            # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
+            - \Desktopimgdownldr.exe
+            - \esentutl.exe
+            # - \expand.exe
+            - \finger.exe
+            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
+            - \notepad.exe
+            - \AcroRd32.exe
+            - \RdrCEF.exe
+            - \mshta.exe
+            - \hh.exe
+        TargetFilename|endswith:
+            - '.zip'
+            - '.rar'
+            - '.7z'
+            - '.diagcab'
+            - '.appx'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+tags:
+  - attack.defense_evasion
+  - attack.t1218

rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml

@@ -0,0 +1,50 @@
+title: Legitimate Application Dropped Executable
+id: f0540f7e-2db3-4432-b9e0-3965486744bc
+description: Detects programs on a Windows system that should not write executables to disk
+status: experimental
+author: frack113, Florian Roth
+references:
+    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
+date: 2022/08/21
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        Image|endswith:
+            # Microsoft Office Programs Dropping Executables
+            - \winword.exe
+            - \excel.exe
+            - \powerpnt.exe
+            - \msaccess.exe
+            - \mspub.exe
+            - \eqnedt32.exe
+            - \visio.exe
+            - \wordpad.exe
+            - \wordview.exe
+            # LOLBINs that can be used to download executables
+            - \certutil.exe
+            - \certoc.exe
+            - \CertReq.exe
+            # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
+            - \Desktopimgdownldr.exe
+            - \esentutl.exe
+            # - \expand.exe
+            - \finger.exe
+            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
+            - \notepad.exe
+            - \AcroRd32.exe
+            - \RdrCEF.exe
+            - \mshta.exe
+            - \hh.exe
+        TargetFilename|endswith:
+            - '.exe'
+            - '.dll'
+            - '.ocx'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+tags:
+  - attack.defense_evasion
+  - attack.t1218

rules/windows/file_event/file_event_legitimate_app_dropping_script.yml

@@ -0,0 +1,52 @@
+title: Legitimate Application Dropped Script
+id: 7d604714-e071-49ff-8726-edeb95a70679
+description: Detects programs on a Windows system that should not write scripts to disk
+status: experimental
+author: frack113, Florian Roth
+references:
+    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
+date: 2022/08/21
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        Image|endswith:
+            # Microsoft Office Programs Dropping Executables
+            - \winword.exe
+            - \excel.exe
+            - \powerpnt.exe
+            - \msaccess.exe
+            - \mspub.exe
+            - \eqnedt32.exe
+            - \visio.exe
+            - \wordpad.exe
+            - \wordview.exe
+            # LOLBINs that can be used to download executables
+            - \certutil.exe
+            - \certoc.exe
+            - \CertReq.exe
+            # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
+            - \Desktopimgdownldr.exe
+            - \esentutl.exe
+            # - \expand.exe
+            - \finger.exe
+            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
+            - \AcroRd32.exe
+            - \RdrCEF.exe
+            - \mshta.exe
+            - \hh.exe
+        TargetFilename|endswith:
+            - '.ps1'
+            - '.bat'
+            - '.vbs'
+            - '.scf'
+            - '.wsf'
+            - '.wsh'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+tags:
+  - attack.defense_evasion
+  - attack.t1218