Merge pull request #3741 from nasbench/nasbench-rule-devel

feat: new rules, fixes and general updates

rules/windows/builtin/system/win_system_service_install_mesh_agent.yml

@@ -0,0 +1,25 @@
+title: Mesh Agent Service Installation
+id: e0d1ad53-c7eb-48ec-a87a-72393cc6cedc
+status: experimental
+description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
+references:
+    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
+author: Nasreddine Bencherchali
+date: 2022/11/28
+tags:
+    - attack.command_and_control
+    - attack.t1219
+logsource:
+    product: windows
+    service: system
+detection:
+    selection_root:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
+    selection_service:
+        - ImagePath|contains: 'MeshAgent.exe'
+        - ServiceName|contains: 'Mesh Agent'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of the tool
+level: medium

rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml

@@ -0,0 +1,25 @@
+title: TacticalRMM Service Installation
+id: 4bb79b62-ef12-4861-981d-2aab43fab642
+status: experimental
+description: Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.
+references:
+    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
+author: Nasreddine Bencherchali
+date: 2022/11/28
+tags:
+    - attack.command_and_control
+    - attack.t1219
+logsource:
+    product: windows
+    service: system
+detection:
+    selection_root:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
+    selection_service:
+        - ImagePath|contains: 'tacticalrmm.exe'
+        - ServiceName|contains: 'TacticalRMM Agent Service'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of the tool
+level: medium

rules/windows/driver_load/driver_load_vuln_drivers.yml

@@ -21,7 +21,7 @@ references:
     - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
 author: Nasreddine Bencherchali
 date: 2022/08/18
-modified: 2022/11/28
+modified: 2022/11/29
 tags:
     - attack.privilege_escalation
     - attack.t1543.003
@@ -287,6 +287,13 @@ detection:
             # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
             # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys
             - 'SHA1=06232f7ea7ea24102d452427aedbbc8b8e188a0c'
+            # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde
+            - 'SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962'
+            - 'SHA1=4927d843577bada119a17b249ff4e7f5e9983a92'
+            - 'SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1'
+            - 'SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f'
+            - 'SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327'
+            - 'SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e'
             # The list below is from https://github.com/namazso/physmem_drivers
             - 'SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748'
             - 'SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA'
@@ -540,6 +547,13 @@ detection:
             # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
             # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys
             - 'SHA256=5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e'
+            # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde
+            - 'SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4'
+            - 'SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230'
+            - 'SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56'
+            - 'SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f'
+            - 'SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184'
+            - 'SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d'
     selection_other:
         - SHA1:
             # The list below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT
@@ -798,6 +812,13 @@ detection:
             # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
             # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys
             - '06232f7ea7ea24102d452427aedbbc8b8e188a0c'
+            # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde
+            - 'a380aeb3ffaecc53ca48bb1d4d622c46f1de7962'
+            - '4927d843577bada119a17b249ff4e7f5e9983a92'
+            - 'e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1'
+            - '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f'
+            - '755349d56cdd668ca22eebc4fc89f0cccef47327'
+            - '56af49e030eb85528e82849d7d1b6147f3c4973e'
         - SHA256:
             # The list below is from https://github.com/namazso/physmem_drivers
             - '04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162'
@@ -1059,6 +1080,13 @@ detection:
             # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part
             # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys
             - '5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e'
+            # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde
+            - 'e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4'
+            - '7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230'
+            - '97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56'
+            - '8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f'
+            - '09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184'
+            - '2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d'
     condition: 1 of selection*
 falsepositives:
     - Unknown

rules/windows/driver_load/driver_load_vuln_drivers_names.yml

@@ -20,7 +20,7 @@ references:
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969
 author: Nasreddine Bencherchali
 date: 2022/10/03
-modified: 2022/10/17
+modified: 2022/11/29
 tags:
     - attack.privilege_escalation
     - attack.t1543.003
@@ -203,6 +203,11 @@ detection:
             - '\ohm.sys'
             - '\sensorsview32_64.sys'
             - '\touchpointanalyticsclient.sys'
+            # PowerTool driver (kEvP64) renames from VT
+            - '\CQg5Jf.sys'
+            - '\HCdRDh.sys'
+            - '\NcDgDn.sys'
+            - '\vLTZ19.sys'
     condition: selection
 falsepositives:
     - Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.

rules/windows/process_creation/proc_creation_win_powertool_execution.yml

@@ -0,0 +1,27 @@
+title: PowerTool Execution
+id: a34f79a3-8e5f-4cc3-b765-de00695452c2
+status: experimental
+description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
+references:
+    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
+    - https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html
+    - https://twitter.com/gbti_sa/status/1249653895900602375?lang=en
+    - https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml
+author: Nasreddine Bencherchali
+date: 2022/11/29
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        - Image|endswith:
+            - '\PowerTool.exe'
+            - '\PowerTool64.exe'
+        - OriginalFileName: 'PowerTool.exe'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml

@@ -1,11 +1,12 @@
 title: Raspberry Robin Dot Ending File
 id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a
 status: experimental
-description: Detects commandline containing reference to files ending with a ".". This scheme has been seen used by raspberry-robin
+description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
 author: Nasreddine Bencherchali
 references:
     - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
 date: 2022/10/28
+modified: 2022/11/28
 tags:
     - attack.execution
 logsource:
@@ -16,7 +17,7 @@ detection:
         # Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png
         # Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png
         # Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png
-        CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[ |\"|']{0,1}"
+        CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[ |\"|']{1}"
     filter:
         # This filter is used to exclude double extension files
         CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[a-zA-Z0-9]{1}"