From 4ca81b896d044e6ff9ffb9798a7b503029a52259 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 26 May 2020 14:19:22 +0200 Subject: [PATCH 1/3] rule: Turla ComRAT report --- .../win_apt_turla_comrat_may20.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/win_apt_turla_comrat_may20.yml diff --git a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml new file mode 100644 index 000000000..c2b7bf877 --- /dev/null +++ b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml @@ -0,0 +1,33 @@ +title: Turla Group Commands May 2020 +id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c +status: experimental +description: Detects commands used by Turla group as reported by ESET in May 2020 +references: + - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf +tags: + - attack.g0010 + - attack.execution + - attack.t1086 + - attack.t1053 + - attack.t1027 + - attack.discovery + - attack.t1016 +author: Florian Roth +date: 2020/05/26 +logsource: + category: process_creation + product: windows +falsepositives: + - Unknown +detection: + selection1: + CommandLine|contains: + - 'tracert -h 10 yahoo.com' + - '.WSqmCons))|iex;' + - 'Fr`omBa`se6`4Str`ing' + selection2: + CommandLine|contains|all: + - 'net use https://docs.live.net' + - '@aol.co.uk' + condition: 1 of them +level: critical From 76dcc1a16fff440951c2d5d15307b8337ae6f792 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 28 May 2020 09:22:25 +0200 Subject: [PATCH 2/3] rule: renamed debugview --- .../sysmon/sysmon_susp_renamed_debugview.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_susp_renamed_debugview.yml diff --git a/rules/windows/sysmon/sysmon_susp_renamed_debugview.yml b/rules/windows/sysmon/sysmon_susp_renamed_debugview.yml new file mode 100644 index 000000000..065bc8919 --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_renamed_debugview.yml @@ -0,0 +1,24 @@ +title: Renamed SysInternals Debug View +id: cd764533-2e07-40d6-a718-cfeec7f2da7f +status: experimental +description: Detects suspicious renamed SysInternals DebugView execution +references: + - https://www.epicturla.com/blog/sysinturla +author: Florian Roth +date: 2020/05/28 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + Product: + - 'Sysinternals DebugView' + - 'Sysinternals Debugview' + filter: + OriginalFilename: 'Dbgview.exe' + Image|endswith: '\Dbgview.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high From 39b41b5582ac76ddd8fe694ce31dc6288d60b631 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 28 May 2020 10:13:38 +0200 Subject: [PATCH 3/3] rule: moved DebugView rule to process creation category --- .../win_susp_renamed_debugview.yml} | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) rename rules/windows/{sysmon/sysmon_susp_renamed_debugview.yml => process_creation/win_susp_renamed_debugview.yml} (93%) diff --git a/rules/windows/sysmon/sysmon_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml similarity index 93% rename from rules/windows/sysmon/sysmon_susp_renamed_debugview.yml rename to rules/windows/process_creation/win_susp_renamed_debugview.yml index 065bc8919..dcab5bd63 100644 --- a/rules/windows/sysmon/sysmon_susp_renamed_debugview.yml +++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml @@ -7,11 +7,10 @@ references: author: Florian Roth date: 2020/05/28 logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Product: - 'Sysinternals DebugView' - 'Sysinternals Debugview'