Merge pull request #3718 from SigmaHQ/rule-devel

Rule devel

rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml

@@ -6,7 +6,7 @@ references:
     - https://github.com/hfiref0x/UACME
 author: Christian Burkard, Florian Roth
 date: 2021/08/30
-modified: 2022/07/27
+modified: 2022/11/19
 tags:
     - attack.defense_evasion
     - attack.privilege_escalation
@@ -47,7 +47,7 @@ detection:
             - 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74'
             - 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B'
     selection_hash:
-        IMPHASH:
+        Imphash:
             - '767637c23bb42cd5d7397cf58b0be688'
             - '14c4e4c72ba075e9069ee67f39188ad8'
             - '3c782813d4afce07bbfc5a9772acdbdc'

rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml

@@ -6,7 +6,7 @@ references:
     - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
 author: Florian Roth, oscd.community
 date: 2019/01/29
-modified: 2022/01/07
+modified: 2022/11/14
 tags:
     - attack.lateral_movement
     - attack.defense_evasion
@@ -19,7 +19,7 @@ detection:
     selection:
         Image|endswith: '\netsh.exe'
         CommandLine|contains|all:
-            - 'i'
+            - ' i'
             - ' p'
             - '=3389'
             - ' c'

rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml

@@ -0,0 +1,36 @@
+title: Suspicious RunAs-Like Flag Combination
+id: 50d66fb0-03f8-4da0-8add-84e77d12a020
+status: experimental
+description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
+references:
+    - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
+author: Florian Roth
+date: 2022/11/11
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_user:
+        CommandLine|contains:
+            - ' -u system '
+            - ' --user system '
+            - ' -u NT'
+            - ' -u "NT'
+            - " -u 'NT"
+            - ' --system '
+            - ' -u administrator '
+    selection_command:
+        CommandLine|contains:
+            - ' -c cmd'
+            - ' -c "cmd'
+            - ' -c powershell'
+            - ' -c "powershell'
+            - ' --command cmd'
+            - ' --command powershell'
+            - ' -c whoami'
+            - ' -c wscript'
+            - ' -c cscript'
+    condition: all of selection*
+falsepositives:
+    - Unknown
+level: medium

rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml

@@ -1,23 +1,31 @@
-title: Process Hacker Usage
+title: Process Hacker / System Informer Usage
 id: 811e0002-b13b-4a15-9d00-a613fce66e42
 status: experimental
-description: Detects suspicious use of Process Hacker, a tool to view and manipulate processes, kernel options and other low level stuff
+description: Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff
 references:
     - https://processhacker.sourceforge.io/
+    - https://github.com/winsiderss/systeminformer
     - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
 author: Florian Roth
 date: 2022/10/10
+modified: 2022/11/16
 logsource:
     category: process_creation
     product: windows
 detection:
     selection_image:
-        Image|contains: '\ProcessHacker_'
+        - Image|contains: '\ProcessHacker_'
+        - Image|endswith:
+            - '\SystemInformer.exe'
+            - '\ProcessHacker.exe'
     selection_pe:
         - OriginalFileName:
             - 'ProcessHacker.exe'
             - 'Process Hacker'
-        - Description: 'Process Hacker'
+            - 'SystemInformer.exe'
+        - Description: 
+            - 'Process Hacker'
+            - 'System Informer'
         - Product: 'Process Hacker'
     selection_hashes:
         Hashes|contains: