From 7d3ef2a1d3e383b926038579ea05615ff9c53eec Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 5 Apr 2023 00:31:24 +0200 Subject: [PATCH] chore: move more rules --- .../windows}/proc_creation_win_apt_ta505_dropper.yml | 4 ++-- .../APT31}/proc_creation_win_apt_apt31_judgement_panda.yml | 0 rules-threat-hunting/README.md | 0 .../proc_creation_win_wmiprvse_susp_child_processes.yml | 5 ++++- 4 files changed, 6 insertions(+), 3 deletions(-) rename {rules/windows/process_creation => rules-deprecated/windows}/proc_creation_win_apt_ta505_dropper.yml (94%) rename {rules/windows/process_creation => rules-emerging-threats/2019/APT31}/proc_creation_win_apt_apt31_judgement_panda.yml (100%) create mode 100644 rules-threat-hunting/README.md diff --git a/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml b/rules-deprecated/windows/proc_creation_win_apt_ta505_dropper.yml similarity index 94% rename from rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml rename to rules-deprecated/windows/proc_creation_win_apt_ta505_dropper.yml index ea997d9cc..529935535 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml +++ b/rules-deprecated/windows/proc_creation_win_apt_ta505_dropper.yml @@ -1,12 +1,12 @@ title: TA505 Dropper Load Pattern id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4 -status: test +status: deprecated description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents references: - https://twitter.com/ForensicITGuy/status/1334734244120309760 author: Florian Roth (Nextron Systems) date: 2020/12/08 -modified: 2022/03/31 +modified: 2023/04/05 tags: - attack.execution - attack.g0092 diff --git a/rules/windows/process_creation/proc_creation_win_apt_apt31_judgement_panda.yml b/rules-emerging-threats/2019/APT31/proc_creation_win_apt_apt31_judgement_panda.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_apt_apt31_judgement_panda.yml rename to rules-emerging-threats/2019/APT31/proc_creation_win_apt_apt31_judgement_panda.yml diff --git a/rules-threat-hunting/README.md b/rules-threat-hunting/README.md new file mode 100644 index 000000000..e69de29bb diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml index 0dc09f77f..f4f43b174 100644 --- a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml @@ -5,13 +5,16 @@ related: type: similar - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d type: similar + - id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4 + type: obsoletes status: test description: Detects suspicious and uncommon child processes of WmiPrvSE references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ -author: Vadim Khrykov (ThreatIntel), Cyb3rEng + - https://twitter.com/ForensicITGuy/status/1334734244120309760 +author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems) date: 2021/08/23 modified: 2023/03/23 tags: