From 7fab22ddc20c3b77185cf18afeed455a2eab947f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 5 Jul 2021 12:03:35 +0200 Subject: [PATCH 1/3] rule: more Kaseya patterns --- .../windows/process_creation/win_apt_revil_kaseya.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/rules/windows/process_creation/win_apt_revil_kaseya.yml b/rules/windows/process_creation/win_apt_revil_kaseya.yml index 2ab3055a0..b3f6cab3a 100644 --- a/rules/windows/process_creation/win_apt_revil_kaseya.yml +++ b/rules/windows/process_creation/win_apt_revil_kaseya.yml @@ -7,8 +7,10 @@ references: - https://www.joesandbox.com/analysis/443736/0/html - https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b - https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/ + - https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/ author: Florian Roth date: 2021/07/03 +modified: 2021/07/05 tags: - attack.execution - attack.g0115 @@ -23,11 +25,20 @@ detection: - 'del /q /f c:\kworking\agent.crt' - 'Kaseya VSA Agent Hot-fix' - '\AppData\Local\Temp\MsMpEng.exe' + - 'rmdir /s /q %SystemDrive%\inetpub\logs' + - 'del /s /q /f %SystemDrive%\\*.log' + - 'c:\kworking1\agent.exe' + - 'c:\kworking1\agent.crt' selection2: Image: - 'C:\Windows\MsMpEng.exe' - 'C:\Windows\cert.exe' - 'C:\kworking\agent.exe' + - 'C:\kworking1\agent.exe' + selection3: + CommandLine|contains|all: + - 'del /s /q /f' + - 'WebPages\Errors\webErrorLog.txt' condition: selection1 and selection2 falsepositives: - Unknown From 7e9d6600ebe3988c50d05e1403f5ff56a3a2f6c7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 5 Jul 2021 12:03:56 +0200 Subject: [PATCH 2/3] rule: PrinterNightmare - new mimikatz printer name --- .../win_registry_mimikatz_printernightmare.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index c62015f73..35d69bd94 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -11,14 +11,17 @@ tags: - attack.execution - cve.2021-1675 - cve.2021-34527 -date: 2021/06/07 +date: 2021/07/04 +modified: 2021/07/05 logsource: product: windows category: registry_event detection: selection: - TargetObject|startswith: 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' + TargetObject|startswith: + -'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' + - 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz\' condition: selection falsepositives: - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) -level: critical \ No newline at end of file +level: critical \ No newline at end of file From 6c4f36c47350a36ef8394c1d23a2b20000d3ee8f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 5 Jul 2021 12:05:57 +0200 Subject: [PATCH 3/3] fix: minor typo - no \ at the end of the expression --- .../registry_event/win_registry_mimikatz_printernightmare.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index 35d69bd94..5fd0912b4 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -20,7 +20,7 @@ detection: selection: TargetObject|startswith: -'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' - - 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz\' + - 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz' condition: selection falsepositives: - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)