Merge pull request #793 from Neo23x0/rule-devel

Esentutl rule and StrongPity Loader UA

rules/proxy/proxy_ua_apt.yml

@@ -46,6 +46,7 @@ detection:
         - 'hots scot'  # Unkown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
         - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)'  # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
         - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36'  # Hidden Cobra malware
+        - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)'  # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
     condition: selection
 fields:
     - ClientIP

rules/windows/deprecated/win_susp_esentutl_activity.yml

@@ -0,0 +1,29 @@
+title: Suspicious Esentutl Use
+id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
+status: experimental
+description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. 
+author: Florian Roth
+date: 2020/05/23
+references:
+    - https://lolbas-project.github.io/
+    - https://twitter.com/chadtilbury/status/1264226341408452610
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.s0404
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - ' /vss '
+            - ' /y '
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Administrative activity
+level: high