From d1a5471d2131b9f14787db3ae7e56eb8428bb560 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Sat, 23 May 2020 17:38:10 +0200
Subject: [PATCH 1/3] rule: Strong Pity loader UA

---
 rules/proxy/proxy_ua_apt.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml
index d8328ce91..0baf02b23 100644
--- a/rules/proxy/proxy_ua_apt.yml
+++ b/rules/proxy/proxy_ua_apt.yml
@@ -46,6 +46,7 @@ detection:
         - 'hots scot'  # Unkown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
         - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)'  # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
         - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36'  # Hidden Cobra malware
+        - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)'  # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
     condition: selection
 fields:
     - ClientIP

From df715386b6abaa5a1208dc611d4e1e3e7cf91d3a Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Sat, 23 May 2020 18:27:36 +0200
Subject: [PATCH 2/3] rule: suspicious esentutl use

---
 .../deprecated/win_susp_esentutl_activity.yml | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 rules/windows/deprecated/win_susp_esentutl_activity.yml

diff --git a/rules/windows/deprecated/win_susp_esentutl_activity.yml b/rules/windows/deprecated/win_susp_esentutl_activity.yml
new file mode 100644
index 000000000..7473358f5
--- /dev/null
+++ b/rules/windows/deprecated/win_susp_esentutl_activity.yml
@@ -0,0 +1,29 @@
+title: Suspicious Esentutl Use
+id: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7
+status: experimental
+description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. 
+author: Florian Roth
+date: 2020/05/23
+references:
+    - https://lolbas-project.github.io/
+    - https://twitter.com/chadtilbury/status/1264226341408452610
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.s0404
+    - attack.t1218
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains:
+            - ' /vss '
+            - ' /y '
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Administrative activity
+level: high

From 3028a27055b5ed7a1104cfa8389b7e5005fb0f83 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Sat, 23 May 2020 18:32:02 +0200
Subject: [PATCH 3/3] fix: buggy rule

---
 rules/windows/deprecated/win_susp_esentutl_activity.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/deprecated/win_susp_esentutl_activity.yml b/rules/windows/deprecated/win_susp_esentutl_activity.yml
index 7473358f5..1e3e62db5 100644
--- a/rules/windows/deprecated/win_susp_esentutl_activity.yml
+++ b/rules/windows/deprecated/win_susp_esentutl_activity.yml
@@ -16,8 +16,8 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
-        CommandLine|contains:
+    selection:
+        CommandLine|contains|all:
             - ' /vss '
             - ' /y '
     condition: selection