From 7b662b7c3d64208a779bbbce0fd254c1636b4e45 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 19 May 2023 02:34:01 +0200 Subject: [PATCH] feat: add new rules related to small sieve --- .../2021/Malware/Small-Sieve/README.md | 16 +++++ ...t_win_malware_small_sieve_evasion_typo.yml | 30 +++++++++ ...eation_win_malware_small_sieve_cli_arg.yml | 21 +++++++ ...are_small_sieve_telegram_communication.yml | 23 +++++++ ...y_set_malware_small_sieve_evasion_typo.yml | 24 +++++++ ...on_win_telegram_api_non_browser_access.yml | 62 +++++++++++++++++++ 6 files changed, 176 insertions(+) create mode 100644 rules-emerging-threats/2021/Malware/Small-Sieve/README.md create mode 100644 rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml create mode 100644 rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml create mode 100644 rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml create mode 100644 rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml create mode 100644 rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/README.md b/rules-emerging-threats/2021/Malware/Small-Sieve/README.md new file mode 100644 index 000000000..f1b2336ae --- /dev/null +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/README.md @@ -0,0 +1,16 @@ +# Small-Sieve + +## Summary + +Small Sieve is a simple – possibly disposable – Python backdoor which is distributed using an NSIS installer that performs persistence. It provides basic functionality required to maintain and expand a foothold in victim infrastructure using custom string and traffic obfuscation schemes together with the Telegram Bot API to avoid detection. + +You can find more information on the threat in the following articles: + +- [Small Sieve - Malware Analysis Report by NCSC](https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf) + +## Rules + +- [Small Sieve Malware File Indicator Creation](./file_event_win_malware_small_sieve_evasion_typo.yml) +- [Small Sieve Malware CommandLine Indicator](./proc_creation_win_malware_small_sieve_cli_arg.yml) +- [Small Sieve Malware Potential C2 Communication](./proxy_malware_small_sieve_telegram_communication.yml) +- [Small Sieve Malware Registry Persistence](./registry_set_malware_small_sieve_evasion_typo.yml) diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml new file mode 100644 index 000000000..850bf684f --- /dev/null +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml @@ -0,0 +1,30 @@ +title: Small Sieve Malware File Indicator Creation +id: 39466c42-c189-476a-989f-8cdb135c163a +status: experimental +description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware. +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2023/05/19 +tags: + - attack.defense_evasion + - attack.t1036.005 +logsource: + product: windows + category: file_event +detection: + selection_typo_path: + TargetFilename|contains|all: + - ':\Users\' + - '\AppData\' + TargetFilename|contains: + - '\Roaming\' + - '\Local\' + selection_typo_keyword: + TargetFilename|contains: 'Microsift' + selection_ioc: + TargetFilename|endswith: '\AppData\Local\MicrosoftWindowsOutlookDataPlus.txt' + condition: all of selection_typo_* or selection_ioc +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml new file mode 100644 index 000000000..adc3cd2d7 --- /dev/null +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml @@ -0,0 +1,21 @@ +title: Small Sieve Malware CommandLine Indicator +id: 21117127-21c8-437a-ae03-4b51e5a8a088 +status: test +description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve. +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/19 +tags: + - attack.persistence + - attack.t1574.001 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|endswith: '.exe Platypus' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml new file mode 100644 index 000000000..98dfc11d0 --- /dev/null +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml @@ -0,0 +1,23 @@ +title: Small Sieve Malware Potential C2 Communication +id: b0422664-37a4-4e78-949a-4a139309eaf0 +status: experimental +description: Detects potential C2 communication related to Small Sieve malware +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/19 +tags: + - attack.command_and_control +logsource: + category: proxy +detection: + selection: + cs-method: 'GET' + cs-host: 'api.telegram.org' + cs-uri-query|contains|all: + - 'chat_id=2090761833' + - 'text=com/' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml b/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml new file mode 100644 index 000000000..b3c1cc209 --- /dev/null +++ b/rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml @@ -0,0 +1,24 @@ +title: Small Sieve Malware Registry Persistence +id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1 +status: experimental +description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/19 +tags: + - attack.persistence +logsource: + category: registry_set + product: windows +detection: + selection_path: + EventType: SetValue + TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Run\' + selection_value: + - TargetObject|contains: 'Microsift' + - Details|contains: '.exe Platypus' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml new file mode 100644 index 000000000..6b02bd975 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_telegram_api_non_browser_access.yml @@ -0,0 +1,62 @@ +title: Suspicious Non-Browser Network Communication With Telegram API +id: c3dbbc9f-ef1d-470a-a90a-d343448d5875 +status: experimental +description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2 +references: + - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/19 +tags: + - attack.command_and_control + - attack.t1102 +logsource: + product: windows + category: network_connection +detection: + selection: + DestinationHostname|contains: 'api.telegram.org' + # Other browsers or apps known to use telegram should be added + # TODO: Add full paths for default install locations + filter_main_brave: + Image|endswith: '\brave.exe' + filter_main_chrome: + Image: + - 'C:\Program Files\Google\Chrome\Application\chrome.exe' + - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe' + filter_main_firefox: + Image: + - 'C:\Program Files\Mozilla Firefox\firefox.exe' + - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe' + filter_main_ie: + Image: + - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe' + - 'C:\Program Files\Internet Explorer\iexplore.exe' + filter_main_maxthon: + Image|endswith: '\maxthon.exe' + filter_main_edge_1: + - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' + - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' + - Image: + - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' + - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe' + filter_main_edge_2: + Image|startswith: + - 'C:\Program Files (x86)\Microsoft\EdgeCore\' + - 'C:\Program Files\Microsoft\EdgeCore\' + Image|endswith: + - '\msedge.exe' + - '\msedgewebview2.exe' + filter_main_opera: + Image|endswith: '\opera.exe' + filter_main_safari: + Image|endswith: '\safari.exe' + filter_main_seamonkey: + Image|endswith: '\seamonkey.exe' + filter_main_vivaldi: + Image|endswith: '\vivaldi.exe' + filter_main_whale: + Image|endswith: '\whale.exe' + condition: selection and not 1 of filter_main_* +falsepositives: + - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS etc. +level: medium