From 73f44e61d13dce190e56cc3983d8940ea8dacdb3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 20 Jul 2023 13:47:30 +0200 Subject: [PATCH] feat: add more rules --- ...e_event_win_susp_recycle_bin_fake_exec.yml | 31 +++++ ..._load_side_load_abused_dlls_susp_paths.yml | 47 +++++++ .../image_load_side_load_ccleaner_du.yml | 31 +++++ ...ge_load_side_load_ccleaner_reactivator.yml | 29 ++++ ...net_connection_win_dead_drop_resolvers.yml | 127 ++++++++++++++++-- ...n_win_cmd_ping_copy_combined_execution.yml | 31 +++++ ...on_win_cmd_ping_del_combined_execution.yml | 1 + ..._creation_win_curl_insecure_connection.yml | 24 ++++ .../proc_creation_win_netsh_fw_add_rule.yml | 4 +- .../proc_creation_win_netsh_fw_set_rule.yml | 28 ++++ ...reation_win_powershell_decrypt_pattern.yml | 39 ++++++ .../proc_creation_win_schtasks_reg_loader.yml | 36 +++-- ...eation_win_schtasks_reg_loader_encoded.yml | 42 ++++++ ...on_win_susp_recycle_bin_fake_execution.yml | 27 ++++ ...ion_win_werfault_reflect_debugger_exec.yml | 27 ++++ ...gistry_set_persistence_reflectdebugger.yml | 26 ++++ 16 files changed, 520 insertions(+), 30 deletions(-) create mode 100644 rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml create mode 100644 rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml create mode 100644 rules/windows/image_load/image_load_side_load_ccleaner_du.yml create mode 100644 rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml create mode 100644 rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml create mode 100644 rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml create mode 100644 rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml create mode 100644 rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml create mode 100644 rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml create mode 100644 rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml create mode 100644 rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml new file mode 100644 index 000000000..9a91abde2 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -0,0 +1,31 @@ +title: Suspicious File Creation Activity From Fake Recycle.Bin Folder +id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27 +related: + - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 + type: derived +status: experimental +description: Detects file write event from/to a fake recycle bin folder that's often used as a staging directory for malware +references: + - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets +author: X__Junior (Nextron Systems) +date: 2023/07/12 +tags: + - attack.persistence + - attack.defense_evasion +logsource: + category: file_event + product: windows +detection: + selection: + - Image|contains: + - ':\RECYCLERS.BIN\' + - ':\RECYCLER.BIN\' + - ':\RECYCLE.BIN\' + - TargetFilename|contains: + - ':\RECYCLERS.BIN\' + - ':\RECYCLER.BIN\' + - ':\RECYCLE.BIN\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml new file mode 100644 index 000000000..d95044ce9 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml @@ -0,0 +1,47 @@ +title: Abusable DLL Potential Sideloading From Suspicious Location +id: 1228c958-e64e-4e71-92ad-7d429f4138ba +status: experimental +description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations +references: + - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html + - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ +author: X__Junior (Nextron Systems) +date: 2023/07/11 +tags: + - attack.execution + - attack.t1059 +logsource: + category: image_load + product: windows +detection: + selection_dll: + ImageLoaded|endswith: + # Note: Add more generic DLLs that cannot be pin-pointed to a single application + - '\coreclr.dll' + - '\facesdk.dll' + - '\HPCustPartUI.dll' + - '\libcef.dll' + - '\ZIPDLL.dll' + selection_folders_1: + ImageLoaded|contains: + - ':\Perflogs\' + - ':\Users\Public\' + - '\Temporary Internet' + - '\Windows\Temp\' + selection_folders_2: + - ImageLoaded|contains|all: + - ':\Users\' + - '\Favorites\' + - CommandLine|contains|all: + - ':\Users\' + - '\Favourites\' + - ImageLoaded|contains|all: + - ':\Users\' + - '\Contacts\' + - ImageLoaded|contains|all: + - ':\Users\' + - '\Pictures\' + condition: selection_dll and 1 of selection_folders_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml new file mode 100644 index 000000000..5a640660d --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml @@ -0,0 +1,31 @@ +title: Potential CCleanerDU.DLL Sideloading +id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57 +status: experimental +description: Detects potential DLL sideloading of "CCleanerDU.dll" +references: + - https://lab52.io/blog/2344-2/ +author: X__Junior (Nextron Systems) +date: 2023/07/13 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\CCleanerDU.dll' + filter_main_path: + Image|startswith: + - 'C:\Program Files\CCleaner\' + - 'C:\Program Files (x86)\CCleaner\' + Image|endswith: + - '\CCleaner.exe' + - '\CCleaner64.exe' + condition: selection and not 1 of filter_main_* +falsepositives: + - False positives could occur from other custom installation paths. Apply additional filters accordingly. +level: medium diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml new file mode 100644 index 000000000..a6fe99ab9 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml @@ -0,0 +1,29 @@ +title: Potential CCleanerReactivator.DLL Sideloading +id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57 +status: experimental +description: Detects potential DLL sideloading of "CCleanerReactivator.dll" +references: + - https://lab52.io/blog/2344-2/ +author: X__Junior +date: 2023/07/13 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\CCleanerReactivator.dll' + filter_main_path: + Image|startswith: + - 'C:\Program Files\CCleaner\' + - 'C:\Program Files (x86)\CCleaner\' + Image|endswith: '\CCleanerReactivator.exe' + condition: selection and not 1 of filter_main_* +falsepositives: + - False positives could occur from other custom installation paths. Apply additional filters accordingly. +level: medium diff --git a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml index e28ff5f41..75ee7c7be 100644 --- a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml +++ b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml @@ -6,9 +6,9 @@ references: - https://content.fireeye.com/apt-41/rpt-apt41 - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html -author: Sorina Ionescu +author: Sorina Ionescu, X__Junior (Nextron Systems) date: 2022/08/17 -modified: 2023/04/18 +modified: 2023/07/20 tags: - attack.command_and_control - attack.t1102 @@ -22,24 +22,48 @@ detection: DestinationHostname|endswith: - '.cloudflare.com' - '.githubusercontent.com' + - '4shared.com' + - 'anonfiles.com' - 'cdn.discordapp.com' + - 'ddns.net' + - 'discord.com/api/webhooks/' - 'docs.google.com' + - 'drive.google.com' + - 'dropbox.com' + - 'dropmefiles.com' - 'facebook.com' - 'feeds.rapidfeeds.com' - 'fotolog.com' + - 'ghostbin.co/' + - 'gist.githubusercontent.com' + - 'hastebin.com' - 'imgur.com' - 'livejournal.com' + - 'mediafire.com' + - 'mega.nz' + - 'onedrive.com' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' - 'pastetext.net' + - 'privatlab.com' + - 'privatlab.net' + - 'raw.githubusercontent.com' - 'reddit.com' + - 'send.exploit.in' + - 'sendspace.com' - 'steamcommunity.com' + - 'storage.googleapis.com' + - 't.me' - 'technet.microsoft.com' + - 'temp.sh' + - 'transfer.sh' - 'twitter.com' + - 'ufile.io' + - 'vimeo.com' + - 'wetransfer.com' - 'youtube.com' - filter_main_brave: - Image|endswith: '\brave.exe' + # Note: Add/Remove browsers that you don't use or those that have custom install locations filter_main_chrome: Image: - 'C:\Program Files\Google\Chrome\Application\chrome.exe' @@ -52,8 +76,6 @@ detection: Image: - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe' - 'C:\Program Files\Internet Explorer\iexplore.exe' - filter_main_maxthon: - Image|endswith: '\maxthon.exe' filter_main_edge_1: - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' @@ -67,16 +89,8 @@ detection: Image|endswith: - '\msedge.exe' - '\msedgewebview2.exe' - filter_main_opera: - Image|endswith: '\opera.exe' filter_main_safari: Image|endswith: '\safari.exe' - filter_main_seamonkey: - Image|endswith: '\seamonkey.exe' - filter_main_vivaldi: - Image|endswith: '\vivaldi.exe' - filter_main_whale: - Image|endswith: '\whale.exe' filter_optional_defender: Image|endswith: - '\MsMpEng.exe' #Microsoft Defender executable @@ -85,6 +99,91 @@ detection: Image|endswith: '\PRTG Probe.exe' #Paessler's PRTG Network Monitor filter_optional_qlik: Image|endswith: '\Engine.exe' #Process from qlik.com app + filter_main_brave: + Image|endswith: '\brave.exe' + Image|startswith: 'C:\Program Files\BraveSoftware\' + filter_main_maxthon: + Image|contains: '\AppData\Local\Maxthon\' + Image|endswith: '\maxthon.exe' + filter_main_opera: + Image|contains: '\AppData\Local\Programs\Opera\' + Image|endswith: '\opera.exe' + filter_main_seamonkey: + Image|startswith: + - 'C:\Program Files\SeaMonkey\' + - 'C:\Program Files (x86)\SeaMonkey\' + Image|endswith: '\seamonkey.exe' + filter_main_vivaldi: + Image|contains: '\AppData\Local\Vivaldi\' + Image|endswith: '\vivaldi.exe' + filter_main_whale: + Image|startswith: + - 'C:\Program Files\Naver\Naver Whale\' + - 'C:\Program Files (x86)\Naver\Naver Whale\' + Image|endswith: '\whale.exe' + filter_main_tor: + Image|contains: '\Tor Browser\' + filter_main_whaterfox: + Image|startswith: + - 'C:\Program Files\Waterfox\' + - 'C:\Program Files (x86)\Waterfox\' + Image|endswith: '\Waterfox.exe' + filter_main_midori: + Image|contains: '\AppData\Local\Programs\midori-ng\' + Image|endswith: '\Midori Next Generation.exe' + filter_main_slimbrowser: + Image|startswith: + - 'C:\Program Files\SlimBrowser\' + - 'C:\Program Files (x86)\SlimBrowser\' + Image|endswith: '\slimbrowser.exe' + filter_main_flock: + Image|contains: '\AppData\Local\Flock\' + Image|endswith: '\Flock.exe' + filter_main_phoebe: + Image|contains: '\AppData\Local\Phoebe\' + Image|endswith: '\Phoebe.exe' + filter_main_falkon: + Image|startswith: + - 'C:\Program Files\Falkon\' + - 'C:\Program Files (x86)\Falkon\' + Image|endswith: '\falkon.exe' + filter_main_qtweb: + Image|startswith: + - 'C:\Program Files (x86)\QtWeb\' + - 'C:\Program Files\QtWeb\' + Image|endswith: '\QtWeb.exe' + filter_main_avant: + Image|startswith: + - 'C:\Program Files (x86)\Avant Browser\' + - 'C:\Program Files\Avant Browser\' + Image|endswith: '\avant.exe' + filter_main_whatsapp: + Image|startswith: + - 'C:\Program Files (x86)\WindowsApps\' + - 'C:\Program Files\WindowsApps\' + Image|endswith: 'WhatsApp.exe' + filter_main_telegram: + Image|contains: '\AppData\Roaming\Telegram Desktop\' + Image|endswith: '\Telegram.exe' + filter_main_onedrive: + Image|contains: '\AppData\Local\Microsoft\OneDrive\' + Image|endswith: '\OneDrive.exe' + filter_main_dropbox: + Image|startswith: + - 'C:\Program Files (x86)\Dropbox\Client\' + - 'C:\Program Files\Dropbox\Client\' + Image|endswith: '\Dropbox.exe' + filter_main_mega: + Image|contains: '\AppData\Local\MEGAsync\' + Image|endswith: 'MEGAsync.exe' + filter_main_googledrive: + Image|startswith: + - 'C:\Program Files\Google\Drive File Stream\' + - 'C:\Program Files (x86)\Google\Drive File Stream\' + Image|endswith: 'GoogleDriveFS.exe' + filter_main_discord: + Image|contains: '\AppData\Local\Discord\' + Image|endswith: '\Discord.exe' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender. diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml new file mode 100644 index 000000000..1dd1d2956 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -0,0 +1,31 @@ +title: Suspicious Ping/Del Command Combination +id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 +status: experimental +description: Detects uncommon one liner command having ping and copy at the same time usually used by malware. +references: + - Internal Research +author: X__Junior (Nextron Systems) +date: 2023/07/18 +tags: + - attack.defense_evasion + - attack.t1070.004 +logsource: + category: process_creation + product: windows +detection: + # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277 + selection_cmd: + - Image|endswith: '\cmd.exe' + - OriginalFileName: 'Cmd.Exe' + selection_cli: + CommandLine|contains: # Count + - ' -n ' + - ' /n ' + CommandLine|contains|all: + - 'ping' # Covers "ping" and "ping.exe" + - 'copy ' + - ' /y ' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml index 1392aff46..7657e3ab4 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml @@ -17,6 +17,7 @@ logsource: category: process_creation product: windows detection: + # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277 # Example: "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe". selection_count: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml new file mode 100644 index 000000000..8c1c4314e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -0,0 +1,24 @@ +title: Insecure Transfer Via Curl.EXE +id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec +status: experimental +description: Detects execution of "curl.exe" with the "--insecure" flag. +references: + - Internal Research +author: X__Junior (Nextron Systems) +date: 2023/06/30 +tags: + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\curl.exe' + - OriginalFileName: 'curl.exe' + selection_cli: + - CommandLine|re: '\s-k\s' + - CommandLine|contains: '--insecure' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml index 078e5046f..7bae271de 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml @@ -3,7 +3,6 @@ id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c status: test description: Detects the addition of a new rule to the Windows firewall via netsh references: - - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN) - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf author: Markus Neis, Sander Wiebing date: 2019/01/29 @@ -11,6 +10,7 @@ modified: 2023/02/10 tags: - attack.defense_evasion - attack.t1562.004 + - attack.s0246 logsource: category: process_creation product: windows @@ -33,5 +33,5 @@ detection: condition: all of selection_* and not 1 of filter_* falsepositives: - Legitimate administration activity - - Software installations and removal + - Software installations level: medium diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml new file mode 100644 index 000000000..52f6125c0 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml @@ -0,0 +1,28 @@ +title: Firewall Rule Update Via Netsh.EXE +id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c +status: test +description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule +references: + - https://ss64.com/nt/netsh.html +author: X__Junior (Nextron Systems) +date: 2023/07/18 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\netsh.exe' + - OriginalFileName: 'netsh.exe' + selection_cli: + CommandLine|contains|all: + # Example 1: netsh advfirewall firewall set rule "group=\"Network Discovery\" " new enable=Yes" + # Example 2: netsh advfirewall firewall set rule "group=\"File and Printer Sharing\" " new enable=Yes" + - ' firewall ' + - ' set ' + condition: all of selection_* +falsepositives: + - Legitimate administration activity + - Software installations and removal +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml new file mode 100644 index 000000000..dae6f0106 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -0,0 +1,39 @@ +title: PowerShell Execution With Potential Decryption Capabilities +id: 434c08ba-8406-4d15-8b24-782cb071a691 +status: experimental +description: Detects powershell command that decrypts an ".LNK" "file to drop next stage of the malware. +references: + - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ +author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/30 +tags: + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection_img: + Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli_dir: + CommandLine|contains: + - "Get-ChildItem " + - "dir " + selection_cli_gc: + CommandLine|contains: + - "Get-Content " + - "gc " + selection_cli_specific: + CommandLine|contains|all: + - ' ^| ' + - '\*.lnk' + - '-Recurse' + - '-Skip ' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index d5b98d9a4..9a3e9a0a2 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -1,12 +1,14 @@ -title: Scheduled Task Executing Powershell Encoded Payload from Registry -id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 -status: test -description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell. +title: Scheduled Task Executing Payload from Registry +id: 86588b36-c6d3-465f-9cee-8f9093e07798 +related: + - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 + type: derived +status: experimental +description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ -author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport -date: 2022/02/12 -modified: 2023/02/04 +author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/18 tags: - attack.execution - attack.persistence @@ -20,17 +22,23 @@ detection: # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30 - Image|endswith: '\schtasks.exe' - OriginalFileName: 'schtasks.exe' - selection_cli: - CommandLine|contains|all: - - '/Create' - - 'FromBase64String' + selection_cli_create: + CommandLine|contains: '/Create' + selection_cli_get: + CommandLine|contains: - 'Get-ItemProperty' + - ' gp ' # Alias + selection_cli_hive: CommandLine|contains: - 'HKCU:' - 'HKLM:' - 'registry::' - 'HKEY_' - condition: all of selection_* + filter_main_encoding: + CommandLine|contains: + - 'FromBase64String' + - 'encodedcommand' + condition: all of selection_* and not 1 of filter_* falsepositives: - - Unlikely -level: high + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml new file mode 100644 index 000000000..b5af7a3d4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml @@ -0,0 +1,42 @@ +title: Scheduled Task Executing Encoded Payload from Registry +id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 +status: test +description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. +references: + - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ +author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2022/02/12 +modified: 2023/02/04 +tags: + - attack.execution + - attack.persistence + - attack.t1053.005 + - attack.t1059.001 +logsource: + product: windows + category: process_creation +detection: + selection_img: + # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30 + - Image|endswith: '\schtasks.exe' + - OriginalFileName: 'schtasks.exe' + selection_cli_create: + CommandLine|contains: '/Create' + selection_cli_encoding: + CommandLine|contains: + - 'FromBase64String' + - 'encodedcommand' + selection_cli_get: + CommandLine|contains: + - 'Get-ItemProperty' + - ' gp ' # Alias + selection_cli_hive: + CommandLine|contains: + - 'HKCU:' + - 'HKLM:' + - 'registry::' + - 'HKEY_' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml new file mode 100644 index 000000000..f9c7854c1 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml @@ -0,0 +1,27 @@ +title: Suspicious Process Execution From Fake Recycle.Bin Folder +id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 +related: + - id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27 + type: derived +status: experimental +description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. +references: + - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets +author: X__Junior (Nextron Systems) +date: 2023/07/12 +tags: + - attack.persistence + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: + - ':\RECYCLERS.BIN\' + - ':\RECYCLER.BIN\' + - ':\RECYCLE.BIN\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml new file mode 100644 index 000000000..9dcdba70e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml @@ -0,0 +1,27 @@ +title: Potential ReflectDebugger Content Execution Via WerFault.EXE +id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd +related: + - id: 0cf2e1c6-8d10-4273-8059-738778f981ad + type: derived +status: experimental +description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in ReflectDebugger key which could be store malware path +references: + - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html + - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +author: X__Junior (Nextron Systems) +date: 2023/06/30 +tags: + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\WerFault.exe' + - OriginalFileName: 'WerFault.exe' + selection_cli: + CommandLine|contains: ' -pr ' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml new file mode 100644 index 000000000..a11cc6107 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -0,0 +1,26 @@ +title: Potential WerFault ReflectDebugger Registry Value Abuse +id: 0cf2e1c6-8d10-4273-8059-738778f981ad +related: + - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd + type: derived +status: experimental +description: Detects Potential WerFault "ReflectDebugger" registry value abuse for persistence. +references: + - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html + - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +author: X__Junior +date: 2023/05/18 +tags: + - attack.defense_evasion + - attack.t1036.003 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: 'SetValue' + TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger' + condition: selection +falsepositives: + - Unknown +level: high