Merge PR #4850 from @frack113 - Cleanup rule conditions to align with standard

chore: Cleanup conditions update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations. --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2024-05-13 12:10:33 +02:00
parent aaf51bf880
commit 7d6f32d1be
11 changed files with 49 additions and 46 deletions
@@ -19,7 +19,7 @@ cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20\.49\.150\.2
 bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.223
 9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe
 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;target\.exe
-9494479d-d994-40bf-a8b1-eea890237021;Suspicious Add Scheduled Task Parent;TeamViewer_\.exe
+9494479d-d994-40bf-a8b1-eea890237021;Scheduled Task Creation From Potential Suspicious Parent Location;.*
 81325ce1-be01-4250-944f-b4789644556f;Suspicius Schtasks From Env Var Folder;TVInstallRestore
 6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey
 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8;Suspicious Add Scheduled Task From User AppData Temp;TVInstallRestore
@@ -1,24 +1,22 @@
-title: Malicious Service Installations
+title: CosmicDuke Service Installation
 id: cb062102-587e-4414-8efa-dbe3c7bf19c6
 related:
    - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
      type: derived
 status: test
-description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
+description: |
+    Detects the installation of a service named "javamtsup" on the system.
+    The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
 references:
-    - https://awakesecurity.com/blog/threat-hunting-for-paexec/
-    - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
    - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
 author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)
 date: 2017/03/27
 modified: 2022/10/09
 tags:
    - attack.persistence
-    - attack.privilege_escalation
-    - attack.t1003
-    - car.2013-09-005
    - attack.t1543.003
    - attack.t1569.002
+    - detection.emerging_threats
 logsource:
    product: windows
    service: security
@@ -26,9 +24,8 @@ logsource:
 detection:
    selection:
        EventID: 4697
-    malsvc_apt29:
        ServiceName: 'javamtsup'
-    condition: selection and 1 of malsvc_*
+    condition: selection
 falsepositives:
-    - Unknown
+    - Unlikely
 level: critical
@@ -1,32 +1,37 @@
-title: Suspicious Add Scheduled Task Parent
+title: Scheduled Task Creation From Potential Suspicious Parent Location
 id: 9494479d-d994-40bf-a8b1-eea890237021
 status: test
-description: Detects suspicious scheduled task creations from a parent stored in a temporary folder
+description: |
+    Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location.
+    Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
 references:
    - https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/
 author: Florian Roth (Nextron Systems)
 date: 2022/02/23
-modified: 2022/06/02
+modified: 2024/05/13
 tags:
    - attack.execution
    - attack.t1053.005
+    - detection.threat_hunting
 logsource:
    product: windows
    category: process_creation
 detection:
    selection:
-        Image|endswith: '\schtasks.exe'
-        CommandLine|contains: '/Create '
        ParentImage|contains:
+            - ':\Temp\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '\Temporary Internet'
            - '\Users\Public\'
-    filter:
+            - '\Windows\Temp\'
+        Image|endswith: '\schtasks.exe'
+        CommandLine|contains: '/Create '
+    filter_optional_common:
        CommandLine|contains:
            - 'update_task.xml'
            - 'unattended.ini'
-    condition: selection and not 1 of filter*
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
    - Software installers that run from temporary folders and also install scheduled tasks
 level: medium
@@ -1,7 +1,9 @@
 title: Suspicious Executable File Creation
 id: 74babdd6-a758-4549-9632-26535279e654
 status: test
-description: Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
+description: |
+    Detect creation of suspicious executable file names.
+    Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
 references:
    - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
    - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
@@ -15,7 +17,7 @@ logsource:
    product: windows
    category: file_event
 detection:
-    selection_double:
+    selection:
        TargetFilename|endswith:
            - ':\$Recycle.Bin.exe'
            - ':\Documents and Settings.exe'
@@ -24,7 +26,7 @@ detection:
            - ':\Recovery.exe'
            - '.bat.exe'
            - '.sys.exe'
-    condition: 1 of selection_*
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -1,12 +1,14 @@
-title: Format.com FileSystem LOLBIN
+title: Uncommon FileSystem Load Attempt By Format.com
 id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
 status: test
-description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs
+description: |
+    Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
 references:
    - https://twitter.com/0gtweet/status/1477925112561209344
    - https://twitter.com/wdormann/status/1478011052130459653?s=20
 author: Florian Roth (Nextron Systems)
 date: 2022/01/04
+modified: 2024/05/13
 tags:
    - attack.defense_evasion
 logsource:
@@ -16,14 +18,14 @@ detection:
    selection:
        Image|endswith: '\format.com'
        CommandLine|contains: '/fs:'
-    filter:
+    filter_main_known_fs:
        CommandLine|contains:
-            - '/fs:FAT'
            - '/fs:exFAT'
+            - '/fs:FAT'
            - '/fs:NTFS'
-            - '/fs:UDF'
            - '/fs:ReFS'
-    condition: selection and not 1 of filter*
+            - '/fs:UDF'
+    condition: selection and not 1 of filter_main_*
 falsepositives:
    - Unknown
 level: high
@@ -15,13 +15,13 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection_mstsc:
+    selection:
        Image|endswith: '\ruby.exe'
        CommandLine|contains|all:
            - '-i '
            - '-u '
            - '-p '
-    condition: 1 of selection_*
+    condition: selection
 falsepositives:
    - Unknown
 level: medium
@@ -39,7 +39,7 @@ detection:
            - '\WinDefend'
            - '\wscsvc'
            - '\wuauserv'
-    condition: selection_reg_add and 1 of selection_cli_*
+    condition: all of selection_*
 falsepositives:
    - Unlikely
 level: high
@@ -22,9 +22,6 @@ detection:
            - ' /sc once '
            - '\Temp\'
    condition: selection
-fields:
-    - CommandLine
-    - ParentCommandLine
 falsepositives:
    - Administrative activity
    - Software installation
@@ -18,21 +18,21 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    schtasks_exe:
+    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - '/delete'
            - '/tn'
        CommandLine|contains:
            # Add more important tasks
-            - '\Windows\SystemRestore\SR'
-            - '\Windows\Windows Defender\'
            - '\Windows\BitLocker'
+            - '\Windows\ExploitGuard'
+            - '\Windows\SystemRestore\SR'
+            - '\Windows\UpdateOrchestrator\'
+            - '\Windows\Windows Defender\'
            - '\Windows\WindowsBackup\'
            - '\Windows\WindowsUpdate\'
-            - '\Windows\UpdateOrchestrator\'
-            - '\Windows\ExploitGuard'
-    condition: all of schtasks_*
+    condition: selection
 falsepositives:
    - Unlikely
 level: high
@@ -19,7 +19,7 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    schtasks_exe:
+    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - '/Change'
@@ -27,14 +27,14 @@ detection:
            - '/disable'
        CommandLine|contains:
            # Add more important tasks
-            - '\Windows\SystemRestore\SR'
-            - '\Windows\Windows Defender\'
            - '\Windows\BitLocker'
+            - '\Windows\ExploitGuard'
+            - '\Windows\SystemRestore\SR'
+            - '\Windows\UpdateOrchestrator\'
+            - '\Windows\Windows Defender\'
            - '\Windows\WindowsBackup\'
            - '\Windows\WindowsUpdate\'
-            - '\Windows\UpdateOrchestrator\'
-            - '\Windows\ExploitGuard'
-    condition: all of schtasks_*
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -44,7 +44,7 @@ detection:
        Image|endswith:
            - '\code-tunnel.exe'
            - '\code.exe'
-    condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (1 of selection_parent_* and not 1 of filter_main_parent_*)
+    condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)
 falsepositives:
    - Unknown
 level: high